diff --git a/.github/configs/renovate-config.js b/.github/configs/renovate-config.js index ae6ca2bec0..694c41ff14 100644 --- a/.github/configs/renovate-config.js +++ b/.github/configs/renovate-config.js @@ -4,6 +4,7 @@ module.exports = { autodiscover: false, allowPostUpgradeCommandTemplating: true, allowedPostUpgradeCommands: ["make mockgen"], + binarySource: 'install', extends: [ "github>argoproj/argo-cd//renovate-presets/commons.json5", "github>argoproj/argo-cd//renovate-presets/custom-managers/shell.json5", diff --git a/.github/pr-title-checker-config.json b/.github/pr-title-checker-config.json index c3437def33..1616695f29 100644 --- a/.github/pr-title-checker-config.json +++ b/.github/pr-title-checker-config.json @@ -1,15 +1,15 @@ { - "LABEL": { - "name": "title needs formatting", - "color": "EEEEEE" - }, - "CHECKS": { - "prefixes": ["[Bot] docs: "], - "regexp": "^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*" - }, - "MESSAGES": { - "success": "PR title is valid", - "failure": "PR title is invalid", - "notice": "PR Title needs to pass regex '^(feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*" - } + "LABEL": { + "name": "title needs formatting", + "color": "EEEEEE" + }, + "CHECKS": { + "prefixes": ["[Bot] docs: "], + "regexp": "^(refactor|feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*" + }, + "MESSAGES": { + "success": "PR title is valid", + "failure": "PR title is invalid", + "notice": "PR Title needs to pass regex '^(refactor|feat|fix|docs|test|ci|chore)!?(\\(.*\\))?!?:.*" } +} diff --git a/.github/workflows/README.md b/.github/workflows/README.md index b6348eae93..fa5f5ccb7c 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -11,6 +11,7 @@ | release.yaml | Build images, cli-binaries, provenances, and post actions | | scorecard.yaml | Generate scorecard for supply-chain security | | update-snyk.yaml | Scheduled snyk reports | +| stale.yaml | Labels stale issues and PRs | # Reusable workflows diff --git a/.github/workflows/cherry-pick-single.yml b/.github/workflows/cherry-pick-single.yml index 1f70dd5fc7..d48ef3cbda 100644 --- a/.github/workflows/cherry-pick-single.yml +++ b/.github/workflows/cherry-pick-single.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Generate a token id: generate-token - uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1 with: app-id: ${{ secrets.CHERRYPICK_APP_ID }} private-key: ${{ secrets.CHERRYPICK_APP_PRIVATE_KEY }} diff --git a/.github/workflows/ci-build.yaml b/.github/workflows/ci-build.yaml index 5caaeba7d3..c795bd4f8d 100644 --- a/.github/workflows/ci-build.yaml +++ b/.github/workflows/ci-build.yaml @@ -14,7 +14,7 @@ on: env: # Golang version to use across CI steps # renovate: datasource=golang-version packageName=golang - GOLANG_VERSION: '1.25.6' + GOLANG_VERSION: '1.26.0' concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -32,7 +32,7 @@ jobs: docs: ${{ steps.filter.outputs.docs_any_changed }} steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: tj-actions/changed-files@e0021407031f5be11a464abee9a0776171c79891 # v47.0.1 + - uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4 id: filter with: # Any file which is not under docs/, ui/ or is not a markdown file is counted as a backend file @@ -81,7 +81,7 @@ jobs: with: go-version: ${{ env.GOLANG_VERSION }} - name: Restore go build cache - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: ~/.cache/go-build key: ${{ runner.os }}-go-build-v1-${{ github.run_id }} @@ -110,8 +110,8 @@ jobs: - name: Run golangci-lint uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 with: - # renovate: datasource=go packageName=github.com/golangci/golangci-lint versioning=regex:^v(?\d+)\.(?\d+)\.(?\d+)?$ - version: v2.5.0 + # renovate: datasource=go packageName=github.com/golangci/golangci-lint/v2 versioning=regex:^v(?\d+)\.(?\d+)\.(?\d+)?$ + version: v2.9.0 args: --verbose test-go: @@ -152,7 +152,7 @@ jobs: run: | echo "/usr/local/bin" >> $GITHUB_PATH - name: Restore go build cache - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: ~/.cache/go-build key: ${{ runner.os }}-go-build-v1-${{ github.run_id }} @@ -216,7 +216,7 @@ jobs: run: | echo "/usr/local/bin" >> $GITHUB_PATH - name: Restore go build cache - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: ~/.cache/go-build key: ${{ runner.os }}-go-build-v1-${{ github.run_id }} @@ -315,7 +315,7 @@ jobs: node-version: '22.9.0' - name: Restore node dependency cache id: cache-dependencies - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: ui/node_modules key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }} @@ -365,27 +365,23 @@ jobs: fetch-depth: 0 - name: Restore node dependency cache id: cache-dependencies - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: ui/node_modules key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }} - if: env.codecov_secret != '' - name: Remove other node_modules directory run: | rm -rf ui/node_modules/argo-ui/node_modules - if: env.codecov_secret != '' - name: Get e2e code coverage uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: e2e-code-coverage path: e2e-code-coverage - if: env.codecov_secret != '' - name: Get unit test code coverage uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 with: name: test-results path: test-results - if: env.codecov_secret != '' - name: combine-go-coverage # We generate coverage reports for all Argo CD components, but only the applicationset-controller, # app-controller, repo-server, and commit-server report contain coverage data. The other components currently @@ -393,18 +389,18 @@ jobs: # references to their coverage output directories. run: | go tool covdata percent -i=test-results,e2e-code-coverage/applicationset-controller,e2e-code-coverage/repo-server,e2e-code-coverage/app-controller,e2e-code-coverage/commit-server -o test-results/full-coverage.out - if: env.codecov_secret != '' - name: Upload code coverage information to codecov.io + # Only run when the workflow is for upstream (PR target or push is in argoproj/argo-cd). + if: github.repository == 'argoproj/argo-cd' uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: files: test-results/full-coverage.out fail_ci_if_error: true env: CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - if: env.codecov_secret != '' - name: Upload test results to Codecov - # Codecov uploads test results to Codecov.io on upstream master branch and on fork master branch if the token is configured. - if: env.codecov_secret != '' && github.ref == 'refs/heads/master' && github.event_name == 'push' + # Codecov uploads test results to Codecov.io on upstream master branch. + if: github.repository == 'argoproj/argo-cd' && github.ref == 'refs/heads/master' && github.event_name == 'push' uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: files: test-results/junit.xml @@ -480,7 +476,7 @@ jobs: sudo chmod go-r $HOME/.kube/config kubectl version - name: Restore go build cache - uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2 + uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: path: ~/.cache/go-build key: ${{ runner.os }}-go-build-v1-${{ github.run_id }} @@ -506,7 +502,7 @@ jobs: git config --global user.email "john.doe@example.com" - name: Pull Docker image required for tests run: | - docker pull ghcr.io/dexidp/dex:v2.43.0 + docker pull ghcr.io/dexidp/dex:v2.44.0 docker pull argoproj/argo-cd-ci-builder:v1.0.0 docker pull redis:8.2.3-alpine - name: Create target directory for binaries in the build-process diff --git a/.github/workflows/image-reuse.yaml b/.github/workflows/image-reuse.yaml index 2b71e98de0..3822584410 100644 --- a/.github/workflows/image-reuse.yaml +++ b/.github/workflows/image-reuse.yaml @@ -103,7 +103,7 @@ jobs: echo 'EOF' >> $GITHUB_ENV - name: Login to Quay.io - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: quay.io username: ${{ secrets.quay_username }} @@ -111,7 +111,7 @@ jobs: if: ${{ inputs.quay_image_name && inputs.push }} - name: Login to GitHub Container Registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: registry: ghcr.io username: ${{ secrets.ghcr_username }} @@ -119,7 +119,7 @@ jobs: if: ${{ inputs.ghcr_image_name && inputs.push }} - name: Login to dockerhub Container Registry - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 with: username: ${{ secrets.docker_username }} password: ${{ secrets.docker_password }} @@ -142,7 +142,7 @@ jobs: - name: Build and push container image id: image - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 #v6.19.2 with: context: . platforms: ${{ inputs.platforms }} diff --git a/.github/workflows/image.yaml b/.github/workflows/image.yaml index ba6c3ab21e..81bd73f4ba 100644 --- a/.github/workflows/image.yaml +++ b/.github/workflows/image.yaml @@ -86,7 +86,7 @@ jobs: with: # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) # renovate: datasource=golang-version packageName=golang - go-version: 1.25.6 + go-version: 1.26.0 platforms: ${{ needs.set-vars.outputs.platforms }} push: false @@ -103,7 +103,7 @@ jobs: ghcr_image_name: ${{ needs.set-vars.outputs.ghcr_image_name }} # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) # renovate: datasource=golang-version packageName=golang - go-version: 1.25.6 + go-version: 1.26.0 platforms: ${{ needs.set-vars.outputs.platforms }} push: true secrets: diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ac0a2c1f7e..850251f413 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,7 +11,7 @@ permissions: {} env: # renovate: datasource=golang-version packageName=golang - GOLANG_VERSION: '1.25.6' # Note: go-version must also be set in job argocd-image.with.go-version + GOLANG_VERSION: '1.26.0' # Note: go-version must also be set in job argocd-image.with.go-version jobs: argocd-image: @@ -26,7 +26,7 @@ jobs: quay_image_name: ${{ needs.setup-variables.outputs.quay_image_name }} # Note: cannot use env variables to set go-version (https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) # renovate: datasource=golang-version packageName=golang - go-version: 1.25.6 + go-version: 1.26.0 platforms: linux/amd64,linux/arm64,linux/s390x,linux/ppc64le push: true secrets: diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml index 66f4afa905..948d97b520 100644 --- a/.github/workflows/renovate.yaml +++ b/.github/workflows/renovate.yaml @@ -22,15 +22,8 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 - # Some codegen commands require Go to be setup - - name: Setup Golang - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 - with: - # renovate: datasource=golang-version packageName=golang - go-version: 1.25.6 - - name: Self-hosted Renovate - uses: renovatebot/github-action@8cb0d4a6ab7d8bb90460a005f7bd33b80dd07ca8 #44.2.5 + uses: renovatebot/github-action@d65ef9e20512193cc070238b49c3873a361cd50c #46.1.1 with: configurationFile: .github/configs/renovate-config.js token: '${{ steps.get_token.outputs.token }}' diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml new file mode 100644 index 0000000000..5881b7cf68 --- /dev/null +++ b/.github/workflows/stale.yaml @@ -0,0 +1,33 @@ +name: "Label stale issues and PRs" +on: + schedule: + - cron: "0 0 * * *" #Runs midnight 12AM UTC + +#Added Recommended permissions +permissions: + issues: write + pull-requests: write + +jobs: + stale: + runs-on: ubuntu-24.04 + steps: + - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # v10.2.0 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + + stale-issue-message: > + This issue has been marked as stale because it has had no activity for 90 days. Please comment if this is still relevant. + + stale-pr-message: > + This pull request has been marked as stale because it has had no activity for 90 days. Please comment if this is still relevant. + + days-before-stale: 90 + days-before-close: -1 # Auto-close diabled + + exempt-issue-labels: > + bug, security, breaking/high, breaking/medium, breaking/low + + # General configuration + operations-per-run: 200 + remove-stale-when-updated: true #Remove stale label when issue/pr is updated diff --git a/.golangci.yaml b/.golangci.yaml index 3219d361f6..273b4ac84e 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -22,6 +22,7 @@ linters: - govet - importas - misspell + - modernize - noctx - perfsprint - revive @@ -121,6 +122,13 @@ linters: - pkg: github.com/argoproj/argo-cd/v3/util/io alias: utilio + modernize: + disable: + # Suggest replacing omitempty with omitzero for struct fields. + - omitzero + # Simplify code by using go1.26's new(expr). - generates lots of false positives. + - newexpr + nolintlint: require-specific: true diff --git a/.mockery.yaml b/.mockery.yaml index 62b18c2f41..bfb0a60266 100644 --- a/.mockery.yaml +++ b/.mockery.yaml @@ -79,10 +79,10 @@ packages: github.com/argoproj/argo-cd/v3/util/workloadidentity: interfaces: TokenProvider: {} - github.com/argoproj/gitops-engine/pkg/cache: + github.com/argoproj/argo-cd/gitops-engine/pkg/cache: interfaces: ClusterCache: {} - github.com/argoproj/gitops-engine/pkg/diff: + github.com/argoproj/argo-cd/gitops-engine/pkg/diff: interfaces: ServerSideDryRunner: {} github.com/microsoft/azure-devops-go-api/azuredevops/v7/git: diff --git a/Dockerfile b/Dockerfile index 44971350a3..ad01b630ab 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,10 @@ -ARG BASE_IMAGE=docker.io/library/ubuntu:25.10@sha256:5922638447b1e3ba114332c896a2c7288c876bb94adec923d70d58a17d2fec5e +ARG BASE_IMAGE=docker.io/library/ubuntu:25.10@sha256:4a9232cc47bf99defcc8860ef6222c99773330367fcecbf21ba2edb0b810a31e #################################################################################################### # Builder image # Initial stage which pulls prepares build dependencies and CLI tooling we need for our final image # Also used as the image in CI jobs so needs all dependencies #################################################################################################### -FROM docker.io/library/golang:1.25.6@sha256:ce63a16e0f7063787ebb4eb28e72d477b00b4726f79874b3205a965ffd797ab2 AS builder +FROM docker.io/library/golang:1.26.0@sha256:c83e68f3ebb6943a2904fa66348867d108119890a2c6a2e6f07b38d0eb6c25c5 AS builder WORKDIR /tmp @@ -16,7 +16,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \ unzip \ fcgiwrap \ git \ - git-lfs \ make \ wget \ gcc \ @@ -29,7 +28,8 @@ COPY hack/install.sh hack/tool-versions.sh ./ COPY hack/installers installers RUN ./install.sh helm && \ - INSTALL_PATH=/usr/local/bin ./install.sh kustomize + INSTALL_PATH=/usr/local/bin ./install.sh kustomize && \ + ./install.sh git-lfs #################################################################################################### # Argo CD Base - used as the base for both the release and dev argocd images @@ -51,7 +51,7 @@ RUN groupadd -g $ARGOCD_USER_ID argocd && \ apt-get update && \ apt-get dist-upgrade -y && \ apt-get install --no-install-recommends -y \ - git git-lfs tini ca-certificates gpg gpg-agent tzdata connect-proxy openssh-client && \ + git tini ca-certificates gpg gpg-agent tzdata connect-proxy openssh-client && \ apt-get clean && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/* @@ -61,6 +61,7 @@ COPY hack/gpg-wrapper.sh \ /usr/local/bin/ COPY --from=builder /usr/local/bin/helm /usr/local/bin/helm COPY --from=builder /usr/local/bin/kustomize /usr/local/bin/kustomize +COPY --from=builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs # keep uid_entrypoint.sh for backward compatibility RUN ln -s /usr/local/bin/entrypoint.sh /usr/local/bin/uid_entrypoint.sh @@ -79,6 +80,12 @@ RUN mkdir -p tls && \ ENV USER=argocd +# Disable gRPC service config lookups via DNS TXT records to prevent excessive +# DNS queries for _grpc_config. which can cause timeouts in dual-stack +# environments. This can be overridden via argocd-cmd-params-cm ConfigMap. +# See https://github.com/argoproj/argo-cd/issues/24991 +ENV GRPC_ENABLE_TXT_SERVICE_CONFIG=false + USER $ARGOCD_USER_ID WORKDIR /home/argocd @@ -103,7 +110,7 @@ RUN HOST_ARCH=$TARGETARCH NODE_ENV='production' NODE_ONLINE_ENV='online' NODE_OP #################################################################################################### # Argo CD Build stage which performs the actual build of Argo CD binaries #################################################################################################### -FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.25.6@sha256:ce63a16e0f7063787ebb4eb28e72d477b00b4726f79874b3205a965ffd797ab2 AS argocd-build +FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.26.0@sha256:c83e68f3ebb6943a2904fa66348867d108119890a2c6a2e6f07b38d0eb6c25c5 AS argocd-build WORKDIR /go/src/github.com/argoproj/argo-cd diff --git a/Dockerfile.tilt b/Dockerfile.tilt index c9a96a129e..ffed1c60a5 100644 --- a/Dockerfile.tilt +++ b/Dockerfile.tilt @@ -1,4 +1,4 @@ -FROM docker.io/library/golang:1.25.6@sha256:ce63a16e0f7063787ebb4eb28e72d477b00b4726f79874b3205a965ffd797ab2 +FROM docker.io/library/golang:1.26.0@sha256:c83e68f3ebb6943a2904fa66348867d108119890a2c6a2e6f07b38d0eb6c25c5 ENV DEBIAN_FRONTEND=noninteractive @@ -11,7 +11,6 @@ RUN apt-get update && apt-get install --no-install-recommends -y \ unzip \ fcgiwrap \ git \ - git-lfs \ make \ wget \ gcc \ @@ -28,7 +27,8 @@ COPY hack/install.sh hack/tool-versions.sh ./ COPY hack/installers installers RUN ./install.sh helm && \ - INSTALL_PATH=/usr/local/bin ./install.sh kustomize + INSTALL_PATH=/usr/local/bin ./install.sh kustomize && \ + ./install.sh git-lfs COPY hack/gpg-wrapper.sh \ hack/git-verify-wrapper.sh \ diff --git a/MAINTAINERS.md b/MAINTAINERS.md index dbb20a07d2..928de90b1f 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -18,14 +18,14 @@ This document lists the maintainers of the Argo CD project. | Dan Garfield | [todaywasawesome](https://github.com/todaywasawesome) | Approver(docs) | [Octopus Deploy](https://octopus.com/) | | Alexandre Gaudreault | [agaudreault](https://github.com/agaudreault) | Approver | [Intuit](https://www.github.com/intuit/) | | Christian Hernandez | [christianh814](https://github.com/christianh814) | Reviewer(docs) | [Akuity](https://akuity.io/) | -| Peter Jiang | [pjiang](https://github.com/pjiang) | Reviewer | [Intuit](https://www.intuit.com/) | +| Peter Jiang | [pjiang-dev](https://github.com/pjiang-dev) | Approver(docs) | [Intuit](https://www.intuit.com/) | | Andrii Korotkov | [andrii-korotkov](https://github.com/andrii-korotkov) | Reviewer | [Verkada](https://www.verkada.com/) | | Pasha Kostohrys | [pasha-codefresh](https://github.com/pasha-codefresh) | Approver | [Codefresh](https://www.github.com/codefresh/) | | Nitish Kumar | [nitishfy](https://github.com/nitishfy) | Approver(cli,docs) | [Akuity](https://akuity.io/) | | Justin Marquis | [34fathombelow](https://github.com/34fathombelow) | Approver(docs/ci) | [Akuity](https://akuity.io/) | | Alexander Matyushentsev | [alexmt](https://github.com/alexmt) | Lead | [Akuity](https://akuity.io/) | | Nicholas Morey | [morey-tech](https://github.com/morey-tech) | Reviewer(docs) | [Akuity](https://akuity.io/) | -| Papapetrou Patroklos | [ppapapetrou76](https://github.com/ppapapetrou76) | Reviewer | [Octopus Deploy](https://octopus.com/) | +| Papapetrou Patroklos | [ppapapetrou76](https://github.com/ppapapetrou76) | Approver(docs,cli) | [Octopus Deploy](https://octopus.com/) | | Blake Pettersson | [blakepettersson](https://github.com/blakepettersson) | Approver | [Akuity](https://akuity.io/) | | Ishita Sequeira | [ishitasequeira](https://github.com/ishitasequeira) | Approver | [Red Hat](https://redhat.com/) | | Ashutosh Singh | [ashutosh16](https://github.com/ashutosh16) | Approver(docs) | [Intuit](https://www.github.com/intuit/) | @@ -37,3 +37,7 @@ This document lists the maintainers of the Argo CD project. | Regina Voloshin | [reggie-k](https://github.com/reggie-k) | Approver | [Octopus Deploy](https://octopus.com/) | | Hong Wang | [wanghong230](https://github.com/wanghong230) | Reviewer | [Akuity](https://akuity.io/) | | Jonathan West | [jgwest](https://github.com/jgwest) | Approver | [Red Hat](https://redhat.com/) | +| Jaewoo Choi | [choejwoo](https://github.com/choejwoo) | Reviewer | [Hyundai-Autoever](https://www.hyundai-autoever.com/eng/) | +| Alexy Mantha | [alexymantha](https://github.com/alexymantha) | Reviewer | GoTo | +| Kanika Rana | [ranakan19](https://github.com/ranakan19) | Reviewer | [Red Hat](https://redhat.com/) | +| Jonathan Winters | [jwinters01](https://github.com/jwinters01) | Reviewer | [Intuit](https://www.github.com/intuit/) | diff --git a/Makefile b/Makefile index af615c5497..5da75084d0 100644 --- a/Makefile +++ b/Makefile @@ -353,7 +353,7 @@ controller: build-ui: DOCKER_BUILDKIT=1 $(DOCKER) build -t argocd-ui --platform=$(TARGET_ARCH) --target argocd-ui . find ./ui/dist -type f -not -name gitkeep -delete - $(DOCKER) run -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/' + $(DOCKER) run -u $(CONTAINER_UID):$(CONTAINER_GID) -v ${CURRENT_DIR}/ui/dist/app:/tmp/app --rm -t argocd-ui sh -c 'cp -r ./dist/app/* /tmp/app/' .PHONY: image ifeq ($(DEV_IMAGE), true) @@ -445,7 +445,7 @@ test: test-tools-image .PHONY: test-local test-local: test-gitops-engine # run if TEST_MODULE is empty or does not point to gitops-engine tests -ifneq ($(if $(TEST_MODULE),,ALL)$(filter-out github.com/argoproj/gitops-engine% ./gitops-engine%,$(TEST_MODULE)),) +ifneq ($(if $(TEST_MODULE),,ALL)$(filter-out github.com/argoproj/argo-cd/gitops-engine% ./gitops-engine%,$(TEST_MODULE)),) if test "$(TEST_MODULE)" = ""; then \ DIST_DIR=${DIST_DIR} RERUN_FAILS=0 PACKAGES=`go list ./... | grep -v 'test/e2e'` ./hack/test.sh -args -test.gocoverdir="$(PWD)/test-results"; \ else \ @@ -457,7 +457,7 @@ endif .PHONY: test-gitops-engine test-gitops-engine: # run if TEST_MODULE is empty or points to gitops-engine tests -ifneq ($(if $(TEST_MODULE),,ALL)$(filter github.com/argoproj/gitops-engine% ./gitops-engine%,$(TEST_MODULE)),) +ifneq ($(if $(TEST_MODULE),,ALL)$(filter github.com/argoproj/argo-cd/gitops-engine% ./gitops-engine%,$(TEST_MODULE)),) mkdir -p $(PWD)/test-results cd gitops-engine && go test -race -cover ./... -args -test.gocoverdir="$(PWD)/test-results" endif diff --git a/Tiltfile b/Tiltfile index 57a8a7c8fb..24995088e4 100644 --- a/Tiltfile +++ b/Tiltfile @@ -60,7 +60,7 @@ k8s_yaml(kustomize('manifests/dev-tilt')) # build dev image docker_build_with_restart( - 'argocd', + 'quay.io/argoproj/argocd:latest', context='.', dockerfile='Dockerfile.tilt', entrypoint=[ diff --git a/USERS.md b/USERS.md index e9bec6cb67..a7c99185d1 100644 --- a/USERS.md +++ b/USERS.md @@ -331,6 +331,7 @@ Currently, the following organizations are **officially** using Argo CD: 1. [Salad Technologies](https://salad.com/) 1. [Saloodo! GmbH](https://www.saloodo.com) 1. [Sap Labs](http://sap.com) +1. [SAP Signavio](https://www.signavio.com) 1. [Sauce Labs](https://saucelabs.com/) 1. [Schneider Electric](https://www.se.com) 1. [Schwarz IT](https://jobs.schwarz/it-mission) diff --git a/applicationset/controllers/applicationset_controller.go b/applicationset/controllers/applicationset_controller.go index e2a0b7ba39..30f6c63e30 100644 --- a/applicationset/controllers/applicationset_controller.go +++ b/applicationset/controllers/applicationset_controller.go @@ -20,6 +20,7 @@ import ( "fmt" "reflect" "runtime/debug" + "slices" "sort" "strconv" "strings" @@ -47,7 +48,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/handler" "sigs.k8s.io/controller-runtime/pkg/predicate" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" "github.com/argoproj/argo-cd/v3/applicationset/controllers/template" "github.com/argoproj/argo-cd/v3/applicationset/generators" @@ -243,11 +244,6 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque return ctrl.Result{}, fmt.Errorf("failed to get current applications for application set: %w", err) } - err = r.updateResourcesStatus(ctx, logCtx, &applicationSetInfo, currentApplications) - if err != nil { - return ctrl.Result{}, fmt.Errorf("failed to get update resources status for application set: %w", err) - } - // appSyncMap tracks which apps will be synced during this reconciliation. appSyncMap := map[string]bool{} @@ -371,6 +367,16 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque } } + // Update resources status after create/update/delete so it reflects the actual cluster state. + currentApplications, err = r.getCurrentApplications(ctx, applicationSetInfo) + if err != nil { + return ctrl.Result{}, fmt.Errorf("failed to get current applications for application set: %w", err) + } + err = r.updateResourcesStatus(ctx, logCtx, &applicationSetInfo, currentApplications) + if err != nil { + return ctrl.Result{}, fmt.Errorf("failed to update resources status for application set: %w", err) + } + if applicationSetInfo.RefreshRequired() { delete(applicationSetInfo.Annotations, common.AnnotationApplicationSetRefresh) err := r.Update(ctx, &applicationSetInfo) @@ -1046,12 +1052,10 @@ func labelMatchedExpression(logCtx *log.Entry, val string, matchExpression argov // if operator == NotIn, default to true valueMatched := matchExpression.Operator == "NotIn" - for _, value := range matchExpression.Values { - if val == value { - // first "In" match returns true - // first "NotIn" match returns false - return matchExpression.Operator == "In" - } + if slices.Contains(matchExpression.Values, val) { + // first "In" match returns true + // first "NotIn" match returns false + return matchExpression.Operator == "In" } return valueMatched } diff --git a/applicationset/controllers/applicationset_controller_test.go b/applicationset/controllers/applicationset_controller_test.go index 5d8f5c20d1..4f4b558020 100644 --- a/applicationset/controllers/applicationset_controller_test.go +++ b/applicationset/controllers/applicationset_controller_test.go @@ -28,8 +28,8 @@ import ( "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" "sigs.k8s.io/controller-runtime/pkg/event" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/argoproj/argo-cd/v3/applicationset/generators" "github.com/argoproj/argo-cd/v3/applicationset/generators/mocks" @@ -2950,6 +2950,112 @@ func TestUpdatePerformedWithSyncPolicySync(t *testing.T) { assert.Equal(t, map[string]string{"label-key": "label-value"}, app.Labels) } +// TestReconcilePopulatesResourcesStatusOnFirstRun verifies that status.resources and status.resourcesCount +// are populated after the first reconcile, when applications are created. +func TestReconcilePopulatesResourcesStatusOnFirstRun(t *testing.T) { + scheme := runtime.NewScheme() + err := v1alpha1.AddToScheme(scheme) + require.NoError(t, err) + err = corev1.AddToScheme(scheme) + require.NoError(t, err) + + defaultProject := v1alpha1.AppProject{ + ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: "argocd"}, + Spec: v1alpha1.AppProjectSpec{SourceRepos: []string{"*"}, Destinations: []v1alpha1.ApplicationDestination{{Namespace: "*", Server: "https://good-cluster"}}}, + } + applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicySync + appSet := v1alpha1.ApplicationSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "name", + Namespace: "argocd", + }, + Spec: v1alpha1.ApplicationSetSpec{ + Generators: []v1alpha1.ApplicationSetGenerator{ + { + List: &v1alpha1.ListGenerator{ + Elements: []apiextensionsv1.JSON{{ + Raw: []byte(`{"cluster": "good-cluster","url": "https://good-cluster"}`), + }}, + }, + }, + }, + SyncPolicy: &v1alpha1.ApplicationSetSyncPolicy{ + ApplicationsSync: &applicationsSyncPolicy, + }, + Template: v1alpha1.ApplicationSetTemplate{ + ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{ + Name: "{{cluster}}", + Namespace: "argocd", + }, + Spec: v1alpha1.ApplicationSpec{ + Source: &v1alpha1.ApplicationSource{RepoURL: "https://github.com/argoproj/argocd-example-apps", Path: "guestbook"}, + Project: "default", + Destination: v1alpha1.ApplicationDestination{Server: "{{url}}"}, + }, + }, + }, + } + + secret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "my-cluster", + Namespace: "argocd", + Labels: map[string]string{ + argocommon.LabelKeySecretType: argocommon.LabelValueSecretTypeCluster, + }, + }, + Data: map[string][]byte{ + "name": []byte("good-cluster"), + "server": []byte("https://good-cluster"), + "config": []byte("{\"username\":\"foo\",\"password\":\"foo\"}"), + }, + } + + kubeclientset := getDefaultTestClientSet(secret) + client := fake.NewClientBuilder(). + WithScheme(scheme). + WithObjects(&appSet, &defaultProject, secret). + WithStatusSubresource(&appSet). + WithIndex(&v1alpha1.Application{}, ".metadata.controller", appControllerIndexer). + Build() + metrics := appsetmetrics.NewFakeAppsetMetrics() + + argodb := db.NewDB("argocd", settings.NewSettingsManager(t.Context(), kubeclientset, "argocd"), kubeclientset) + clusterInformer, err := settings.NewClusterInformer(kubeclientset, "argocd") + require.NoError(t, err) + + defer startAndSyncInformer(t, clusterInformer)() + + r := ApplicationSetReconciler{ + Client: client, + Scheme: scheme, + Renderer: &utils.Render{}, + Recorder: record.NewFakeRecorder(1), + Generators: map[string]generators.Generator{"List": generators.NewListGenerator()}, + ArgoDB: argodb, + ArgoCDNamespace: "argocd", + KubeClientset: kubeclientset, + Policy: v1alpha1.ApplicationsSyncPolicySync, + Metrics: metrics, + ClusterInformer: clusterInformer, + } + + req := ctrl.Request{ + NamespacedName: types.NamespacedName{Namespace: "argocd", Name: "name"}, + } + + _, err = r.Reconcile(t.Context(), req) + require.NoError(t, err) + + var retrievedAppSet v1alpha1.ApplicationSet + err = r.Get(t.Context(), crtclient.ObjectKey{Namespace: "argocd", Name: "name"}, &retrievedAppSet) + require.NoError(t, err) + + assert.Len(t, retrievedAppSet.Status.Resources, 1, "status.resources should have 1 item after first reconcile") + assert.Equal(t, int64(1), retrievedAppSet.Status.ResourcesCount, "status.resourcesCount should be 1 after first reconcile") + assert.Equal(t, "good-cluster", retrievedAppSet.Status.Resources[0].Name) +} + func TestUpdatePerformedWithSyncPolicyCreateOnlyAndAllowPolicyOverrideFalse(t *testing.T) { applicationsSyncPolicy := v1alpha1.ApplicationsSyncPolicyCreateOnly @@ -4652,7 +4758,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) { newDefaultAppSet := func(stepsCount int, status []v1alpha1.ApplicationSetApplicationStatus) v1alpha1.ApplicationSet { steps := []v1alpha1.ApplicationSetRolloutStep{} - for i := 0; i < stepsCount; i++ { + for range stepsCount { steps = append(steps, v1alpha1.ApplicationSetRolloutStep{MatchExpressions: []v1alpha1.ApplicationMatchExpression{}}) } return v1alpha1.ApplicationSet{ @@ -6365,7 +6471,7 @@ func TestUpdateResourceStatus(t *testing.T) { func generateNAppResourceStatuses(n int) []v1alpha1.ResourceStatus { var r []v1alpha1.ResourceStatus - for i := 0; i < n; i++ { + for i := range n { r = append(r, v1alpha1.ResourceStatus{ Name: "app" + strconv.Itoa(i), Status: v1alpha1.SyncStatusCodeSynced, @@ -6380,7 +6486,7 @@ func generateNAppResourceStatuses(n int) []v1alpha1.ResourceStatus { func generateNHealthyApps(n int) []v1alpha1.Application { var r []v1alpha1.Application - for i := 0; i < n; i++ { + for i := range n { r = append(r, v1alpha1.Application{ ObjectMeta: metav1.ObjectMeta{ Name: "app" + strconv.Itoa(i), diff --git a/applicationset/generators/git.go b/applicationset/generators/git.go index cb9f4c8d47..48c8368fbb 100644 --- a/applicationset/generators/git.go +++ b/applicationset/generators/git.go @@ -3,6 +3,7 @@ package generators import ( "context" "fmt" + "maps" "path" "sort" "strconv" @@ -168,9 +169,7 @@ func (g *GitGenerator) generateParamsForGitFiles(appSetGenerator *argoprojiov1al if err != nil { return nil, err } - for absPath, content := range retrievedFiles { - fileContentMap[absPath] = content - } + maps.Copy(fileContentMap, retrievedFiles) } // Now remove files matching any exclude pattern @@ -242,9 +241,7 @@ func (g *GitGenerator) generateParamsFromGitFile(filePath string, fileContent [] params := map[string]any{} if useGoTemplate { - for k, v := range objectFound { - params[k] = v - } + maps.Copy(params, objectFound) paramPath := map[string]any{} diff --git a/applicationset/generators/plugin.go b/applicationset/generators/plugin.go index 5a1011b0a9..625234eca4 100644 --- a/applicationset/generators/plugin.go +++ b/applicationset/generators/plugin.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "maps" "strconv" "strings" "time" @@ -115,9 +116,7 @@ func (g *PluginGenerator) generateParams(appSetGenerator *argoprojiov1alpha1.App params := map[string]any{} if useGoTemplate { - for k, v := range objectFound { - params[k] = v - } + maps.Copy(params, objectFound) } else { flat, err := flatten.Flatten(objectFound, "", flatten.DotStyle) if err != nil { diff --git a/applicationset/generators/pull_request.go b/applicationset/generators/pull_request.go index 019c0903d8..0b739f2f6a 100644 --- a/applicationset/generators/pull_request.go +++ b/applicationset/generators/pull_request.go @@ -96,15 +96,9 @@ func (g *PullRequestGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha var shortSHALength int var shortSHALength7 int for _, pull := range pulls { - shortSHALength = 8 - if len(pull.HeadSHA) < 8 { - shortSHALength = len(pull.HeadSHA) - } + shortSHALength = min(len(pull.HeadSHA), 8) - shortSHALength7 = 7 - if len(pull.HeadSHA) < 7 { - shortSHALength7 = len(pull.HeadSHA) - } + shortSHALength7 = min(len(pull.HeadSHA), 7) paramMap := map[string]any{ "number": strconv.FormatInt(pull.Number, 10), diff --git a/applicationset/generators/scm_provider.go b/applicationset/generators/scm_provider.go index 9e7158ef8e..dd7f3013c2 100644 --- a/applicationset/generators/scm_provider.go +++ b/applicationset/generators/scm_provider.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "net/http" + "slices" "strings" "time" @@ -105,10 +106,8 @@ func ScmProviderAllowed(applicationSetInfo *argoprojiov1alpha1.ApplicationSet, g return nil } - for _, allowedScmProvider := range allowedScmProviders { - if url == allowedScmProvider { - return nil - } + if slices.Contains(allowedScmProviders, url) { + return nil } log.WithFields(log.Fields{ @@ -244,15 +243,9 @@ func (g *SCMProviderGenerator) GenerateParams(appSetGenerator *argoprojiov1alpha var shortSHALength int var shortSHALength7 int for _, repo := range repos { - shortSHALength = 8 - if len(repo.SHA) < 8 { - shortSHALength = len(repo.SHA) - } + shortSHALength = min(len(repo.SHA), 8) - shortSHALength7 = 7 - if len(repo.SHA) < 7 { - shortSHALength7 = len(repo.SHA) - } + shortSHALength7 = min(len(repo.SHA), 7) params := map[string]any{ "organization": repo.Organization, diff --git a/applicationset/generators/value_interpolation.go b/applicationset/generators/value_interpolation.go index a7b3f25b80..96bb5e1ba8 100644 --- a/applicationset/generators/value_interpolation.go +++ b/applicationset/generators/value_interpolation.go @@ -2,6 +2,7 @@ package generators import ( "fmt" + "maps" ) func appendTemplatedValues(values map[string]string, params map[string]any, useGoTemplate bool, goTemplateOptions []string) error { @@ -26,9 +27,7 @@ func appendTemplatedValues(values map[string]string, params map[string]any, useG } } - for key, value := range tmp { - params[key] = value - } + maps.Copy(params, tmp) return nil } diff --git a/applicationset/metrics/metrics_test.go b/applicationset/metrics/metrics_test.go index 7ede7b4bcb..332b3e0d11 100644 --- a/applicationset/metrics/metrics_test.go +++ b/applicationset/metrics/metrics_test.go @@ -151,9 +151,9 @@ spec: func newFakeAppsets(fakeAppsetYAML string) []argoappv1.ApplicationSet { var results []argoappv1.ApplicationSet - appsetRawYamls := strings.Split(fakeAppsetYAML, "---") + appsetRawYamls := strings.SplitSeq(fakeAppsetYAML, "---") - for _, appsetRawYaml := range appsetRawYamls { + for appsetRawYaml := range appsetRawYamls { var appset argoappv1.ApplicationSet err := yaml.Unmarshal([]byte(appsetRawYaml), &appset) if err != nil { diff --git a/applicationset/services/pull_request/azure_devops.go b/applicationset/services/pull_request/azure_devops.go index c4705c99ce..a3862a3bae 100644 --- a/applicationset/services/pull_request/azure_devops.go +++ b/applicationset/services/pull_request/azure_devops.go @@ -3,6 +3,7 @@ package pull_request import ( "context" "fmt" + "slices" "strings" "github.com/microsoft/azure-devops-go-api/azuredevops/v7" @@ -136,13 +137,7 @@ func convertLabels(tags *[]core.WebApiTagDefinition) []string { // containAzureDevOpsLabels returns true if gotLabels contains expectedLabels func containAzureDevOpsLabels(expectedLabels []string, gotLabels []string) bool { for _, expected := range expectedLabels { - found := false - for _, got := range gotLabels { - if expected == got { - found = true - break - } - } + found := slices.Contains(gotLabels, expected) if !found { return false } diff --git a/applicationset/services/pull_request/bitbucket_server_test.go b/applicationset/services/pull_request/bitbucket_server_test.go index 238b6aa122..e54438cdcf 100644 --- a/applicationset/services/pull_request/bitbucket_server_test.go +++ b/applicationset/services/pull_request/bitbucket_server_test.go @@ -268,7 +268,6 @@ func TestListPullRequestTLS(t *testing.T) { } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { defaultHandler(t)(w, r) diff --git a/applicationset/services/pull_request/gitea.go b/applicationset/services/pull_request/gitea.go index 356fedc119..af4f72dad9 100644 --- a/applicationset/services/pull_request/gitea.go +++ b/applicationset/services/pull_request/gitea.go @@ -83,7 +83,7 @@ func (g *GiteaService) List(ctx context.Context) ([]*PullRequest, error) { // containLabels returns true if gotLabels contains expectedLabels func giteaContainLabels(expectedLabels []string, gotLabels []*gitea.Label) bool { gotLabelNamesMap := make(map[string]bool) - for i := 0; i < len(gotLabels); i++ { + for i := range gotLabels { gotLabelNamesMap[gotLabels[i].Name] = true } for _, expected := range expectedLabels { diff --git a/applicationset/services/pull_request/gitlab_test.go b/applicationset/services/pull_request/gitlab_test.go index 561a903b39..5f7bfd022e 100644 --- a/applicationset/services/pull_request/gitlab_test.go +++ b/applicationset/services/pull_request/gitlab_test.go @@ -158,7 +158,6 @@ func TestListWithStateTLS(t *testing.T) { } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) { writeMRListResponse(t, w) diff --git a/applicationset/services/scm_provider/bitbucket_server_test.go b/applicationset/services/scm_provider/bitbucket_server_test.go index 3f7b687598..78cea36072 100644 --- a/applicationset/services/scm_provider/bitbucket_server_test.go +++ b/applicationset/services/scm_provider/bitbucket_server_test.go @@ -445,7 +445,6 @@ func TestListReposTLS(t *testing.T) { } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { defaultHandler(t)(w, r) diff --git a/applicationset/services/scm_provider/gitlab_test.go b/applicationset/services/scm_provider/gitlab_test.go index 9f37de4bc6..b25da0f2b6 100644 --- a/applicationset/services/scm_provider/gitlab_test.go +++ b/applicationset/services/scm_provider/gitlab_test.go @@ -1301,7 +1301,6 @@ func TestGetBranchesTLS(t *testing.T) { } for _, test := range tests { - test := test t.Run(test.name, func(t *testing.T) { ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { gitlabMockHandler(t)(w, r) diff --git a/applicationset/services/scm_provider/utils.go b/applicationset/services/scm_provider/utils.go index d9d8ac63a6..ebf459dd0e 100644 --- a/applicationset/services/scm_provider/utils.go +++ b/applicationset/services/scm_provider/utils.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "regexp" + "slices" "strings" argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" @@ -58,13 +59,7 @@ func matchFilter(ctx context.Context, provider SCMProviderService, repo *Reposit } if filter.LabelMatch != nil { - found := false - for _, label := range repo.Labels { - if filter.LabelMatch.MatchString(label) { - found = true - break - } - } + found := slices.ContainsFunc(repo.Labels, filter.LabelMatch.MatchString) if !found { return false, nil } diff --git a/applicationset/utils/createOrUpdate_test.go b/applicationset/utils/createOrUpdate_test.go index f014cb120b..374eb826ea 100644 --- a/applicationset/utils/createOrUpdate_test.go +++ b/applicationset/utils/createOrUpdate_test.go @@ -216,7 +216,6 @@ spec: } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { t.Parallel() foundApp := v1alpha1.Application{TypeMeta: appMeta} diff --git a/applicationset/utils/selector.go b/applicationset/utils/selector.go index eae0324236..8252b80650 100644 --- a/applicationset/utils/selector.go +++ b/applicationset/utils/selector.go @@ -2,6 +2,7 @@ package utils import ( "fmt" + "slices" "sort" "strconv" "strings" @@ -207,12 +208,7 @@ type Requirement struct { } func (r *Requirement) hasValue(value string) bool { - for i := range r.strValues { - if r.strValues[i] == value { - return true - } - } - return false + return slices.Contains(r.strValues, value) } func (r *Requirement) Matches(ls labels.Labels) bool { diff --git a/applicationset/utils/utils.go b/applicationset/utils/utils.go index a82b2a6709..8648267536 100644 --- a/applicationset/utils/utils.go +++ b/applicationset/utils/utils.go @@ -388,8 +388,7 @@ func invalidGenerators(applicationSetInfo *argoappsv1.ApplicationSet) (bool, map for index, generator := range applicationSetInfo.Spec.Generators { v := reflect.Indirect(reflect.ValueOf(generator)) found := false - for i := 0; i < v.NumField(); i++ { - field := v.Field(i) + for _, field := range v.Fields() { if !field.CanInterface() { continue } diff --git a/applicationset/webhook/webhook.go b/applicationset/webhook/webhook.go index acb9fa85aa..9950a7de7f 100644 --- a/applicationset/webhook/webhook.go +++ b/applicationset/webhook/webhook.go @@ -107,10 +107,8 @@ func NewWebhookHandler(webhookParallelism int, argocdSettingsMgr *argosettings.S func (h *WebhookHandler) startWorkerPool(webhookParallelism int) { compLog := log.WithField("component", "applicationset-webhook") - for i := 0; i < webhookParallelism; i++ { - h.Add(1) - go func() { - defer h.Done() + for range webhookParallelism { + h.Go(func() { for { payload, ok := <-h.queue if !ok { @@ -118,7 +116,7 @@ func (h *WebhookHandler) startWorkerPool(webhookParallelism int) { } guard.RecoverAndLog(func() { h.HandleEvent(payload) }, compLog, panicMsgAppSet) } - }() + }) } } diff --git a/applicationset/webhook/webhook_test.go b/applicationset/webhook/webhook_test.go index 6b2f1a2a6a..3789ca96f8 100644 --- a/applicationset/webhook/webhook_test.go +++ b/applicationset/webhook/webhook_test.go @@ -609,7 +609,7 @@ func fakeAppWithMatrixAndNestedGitGenerator(name, namespace, repo string) *v1alp }, { Matrix: &apiextensionsv1.JSON{ - Raw: []byte(fmt.Sprintf(`{ + Raw: fmt.Appendf(nil, `{ "Generators": [ { "List": { @@ -626,7 +626,7 @@ func fakeAppWithMatrixAndNestedGitGenerator(name, namespace, repo string) *v1alp } } ] - }`, repo)), + }`, repo), }, }, }, @@ -707,7 +707,7 @@ func fakeAppWithMergeAndNestedGitGenerator(name, namespace, repo string) *v1alph }, { Merge: &apiextensionsv1.JSON{ - Raw: []byte(fmt.Sprintf(`{ + Raw: fmt.Appendf(nil, `{ "MergeKeys": ["server"], "Generators": [ { @@ -719,7 +719,7 @@ func fakeAppWithMergeAndNestedGitGenerator(name, namespace, repo string) *v1alph } } ] - }`, repo)), + }`, repo), }, }, }, diff --git a/assets/swagger.json b/assets/swagger.json index 05d4523b27..750087096d 100644 --- a/assets/swagger.json +++ b/assets/swagger.json @@ -7695,11 +7695,11 @@ }, "namePrefix": { "type": "string", - "title": "NamePrefix is a prefix appended to resources for Kustomize apps" + "title": "NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps" }, "nameSuffix": { "type": "string", - "title": "NameSuffix is a suffix appended to resources for Kustomize apps" + "title": "NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps" }, "namespace": { "type": "string", @@ -9756,7 +9756,7 @@ "type": "object", "properties": { "diff": { - "description": "Diff contains the JSON patch representing the difference between the live and target resource.\nDeprecated: Use NormalizedLiveState and PredictedLiveState instead to compute differences.", + "description": "Diff contains the JSON patch representing the difference between the live and target resource.\n\nDeprecated: Use NormalizedLiveState and PredictedLiveState instead to compute differences.", "type": "string" }, "group": { diff --git a/cmd/argocd-application-controller/commands/argocd_application_controller.go b/cmd/argocd-application-controller/commands/argocd_application_controller.go index 16a179c1b6..ed443ed9da 100644 --- a/cmd/argocd-application-controller/commands/argocd_application_controller.go +++ b/cmd/argocd-application-controller/commands/argocd_application_controller.go @@ -41,8 +41,6 @@ import ( ) const ( - // CLIName is the name of the CLI - cliName = common.ApplicationController // Default time in seconds for application resync period defaultAppResyncPeriod = 120 // Default time in seconds for application resync period jitter @@ -99,7 +97,7 @@ func NewCommand() *cobra.Command { hydratorEnabled bool ) command := cobra.Command{ - Use: cliName, + Use: common.CommandApplicationController, Short: "Run ArgoCD Application Controller", Long: "ArgoCD application controller is a Kubernetes controller that continuously monitors running applications and compares the current, live state against the desired target state (as specified in the repo). This command runs Application Controller in the foreground. It can be configured by following options.", DisableAutoGenTag: true, diff --git a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go index 89ea8174b9..a9edbab97c 100644 --- a/cmd/argocd-applicationset-controller/commands/applicationset_controller.go +++ b/cmd/argocd-applicationset-controller/commands/applicationset_controller.go @@ -49,10 +49,6 @@ import ( var gitSubmoduleEnabled = env.ParseBoolFromEnv(common.EnvGitSubmoduleEnabled, true) -const ( - cliName = common.ApplicationSetController -) - func NewCommand() *cobra.Command { var ( clientConfig clientcmd.ClientConfig @@ -87,7 +83,7 @@ func NewCommand() *cobra.Command { _ = clientgoscheme.AddToScheme(scheme) _ = appv1alpha1.AddToScheme(scheme) command := cobra.Command{ - Use: cliName, + Use: common.CommandApplicationSetController, Short: "Starts Argo CD ApplicationSet controller", DisableAutoGenTag: true, RunE: func(c *cobra.Command, _ []string) error { @@ -306,7 +302,7 @@ func NewCommand() *cobra.Command { command.Flags().IntVar(&webhookParallelism, "webhook-parallelism-limit", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_WEBHOOK_PARALLELISM_LIMIT", 50, 1, 1000), "Number of webhook requests processed concurrently") command.Flags().StringSliceVar(&metricsAplicationsetLabels, "metrics-applicationset-labels", []string{}, "List of Application labels that will be added to the argocd_applicationset_labels metric") command.Flags().BoolVar(&enableGitHubAPIMetrics, "enable-github-api-metrics", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_GITHUB_API_METRICS", false), "Enable GitHub API metrics for generators that use the GitHub API") - command.Flags().IntVar(&maxResourcesStatusCount, "max-resources-status-count", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT", 0, 0, math.MaxInt), "Max number of resources stored in appset status.") + command.Flags().IntVar(&maxResourcesStatusCount, "max-resources-status-count", env.ParseNumFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_MAX_RESOURCES_STATUS_COUNT", 5000, 0, math.MaxInt), "Max number of resources stored in appset status.") return &command } diff --git a/cmd/argocd-cmp-server/commands/argocd_cmp_server.go b/cmd/argocd-cmp-server/commands/argocd_cmp_server.go index efb4960fae..85f827b814 100644 --- a/cmd/argocd-cmp-server/commands/argocd_cmp_server.go +++ b/cmd/argocd-cmp-server/commands/argocd_cmp_server.go @@ -18,11 +18,6 @@ import ( traceutil "github.com/argoproj/argo-cd/v3/util/trace" ) -const ( - // CLIName is the name of the CLI - cliName = "argocd-cmp-server" -) - func NewCommand() *cobra.Command { var ( configFilePath string @@ -32,7 +27,7 @@ func NewCommand() *cobra.Command { otlpAttrs []string ) command := cobra.Command{ - Use: cliName, + Use: common.CommandCMPServer, Short: "Run ArgoCD ConfigManagementPlugin Server", Long: "ArgoCD ConfigManagementPlugin Server is an internal service which runs as sidecar container in reposerver deployment. The following configuration options are available:", DisableAutoGenTag: true, diff --git a/cmd/argocd-commit-server/commands/argocd_commit_server.go b/cmd/argocd-commit-server/commands/argocd_commit_server.go index 8ecbaf36af..f973264a22 100644 --- a/cmd/argocd-commit-server/commands/argocd_commit_server.go +++ b/cmd/argocd-commit-server/commands/argocd_commit_server.go @@ -35,7 +35,7 @@ func NewCommand() *cobra.Command { metricsHost string ) command := &cobra.Command{ - Use: "argocd-commit-server", + Use: common.CommandCommitServer, Short: "Run Argo CD Commit Server", Long: "Argo CD Commit Server is an internal service which commits and pushes hydrated manifests to git. This command runs Commit Server in the foreground.", RunE: func(cmd *cobra.Command, _ []string) error { @@ -91,13 +91,11 @@ func NewCommand() *cobra.Command { sigCh := make(chan os.Signal, 1) signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM) wg := sync.WaitGroup{} - wg.Add(1) - go func() { + wg.Go(func() { s := <-sigCh log.Printf("got signal %v, attempting graceful shutdown", s) grpc.GracefulStop() - wg.Done() - }() + }) log.Println("starting grpc server") err = grpc.Serve(listener) diff --git a/cmd/argocd-dex/commands/argocd_dex.go b/cmd/argocd-dex/commands/argocd_dex.go index b27aed6b7b..23fa983d56 100644 --- a/cmd/argocd-dex/commands/argocd_dex.go +++ b/cmd/argocd-dex/commands/argocd_dex.go @@ -25,13 +25,9 @@ import ( "github.com/argoproj/argo-cd/v3/util/tls" ) -const ( - cliName = "argocd-dex" -) - func NewCommand() *cobra.Command { command := &cobra.Command{ - Use: cliName, + Use: common.CommandDex, Short: "argocd-dex tools used by Argo CD", Long: "argocd-dex has internal utility tools used by Argo CD", DisableAutoGenTag: true, diff --git a/cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go b/cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go index 01c7c95f99..298c9e070e 100644 --- a/cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go +++ b/cmd/argocd-git-ask-pass/commands/argocd_git_ask_pass.go @@ -9,20 +9,16 @@ import ( "google.golang.org/grpc" "google.golang.org/grpc/credentials/insecure" + "github.com/argoproj/argo-cd/v3/common" "github.com/argoproj/argo-cd/v3/util/askpass" "github.com/argoproj/argo-cd/v3/util/errors" grpc_util "github.com/argoproj/argo-cd/v3/util/grpc" utilio "github.com/argoproj/argo-cd/v3/util/io" ) -const ( - // cliName is the name of the CLI - cliName = "argocd-git-ask-pass" -) - func NewCommand() *cobra.Command { command := cobra.Command{ - Use: cliName, + Use: common.CommandGitAskPass, Short: "Argo CD git credential helper", DisableAutoGenTag: true, Run: func(c *cobra.Command, _ []string) { diff --git a/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go b/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go index 4049d5dc6d..4e1d58f8b7 100644 --- a/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go +++ b/cmd/argocd-k8s-auth/commands/argocd_k8s_auth.go @@ -2,15 +2,13 @@ package commands import ( "github.com/spf13/cobra" -) -const ( - cliName = "argocd-k8s-auth" + "github.com/argoproj/argo-cd/v3/common" ) func NewCommand() *cobra.Command { command := &cobra.Command{ - Use: cliName, + Use: common.CommandK8sAuth, Short: "argocd-k8s-auth a set of commands to generate k8s auth token", DisableAutoGenTag: true, Run: func(c *cobra.Command, args []string) { diff --git a/cmd/argocd-k8s-auth/commands/aws.go b/cmd/argocd-k8s-auth/commands/aws.go index 6052bdb4dc..c5fb0230e6 100644 --- a/cmd/argocd-k8s-auth/commands/aws.go +++ b/cmd/argocd-k8s-auth/commands/aws.go @@ -6,12 +6,14 @@ import ( "encoding/json" "fmt" "os" + "strconv" "time" - "github.com/aws/aws-sdk-go/aws" - "github.com/aws/aws-sdk-go/aws/credentials/stscreds" - "github.com/aws/aws-sdk-go/aws/session" - "github.com/aws/aws-sdk-go/service/sts" + "github.com/aws/aws-sdk-go-v2/aws" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/credentials/stscreds" + "github.com/aws/aws-sdk-go-v2/service/sts" + smithyhttp "github.com/aws/smithy-go/transport/http" "github.com/spf13/cobra" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" @@ -58,13 +60,13 @@ func newAWSCommand() *cobra.Command { return command } -type getSignedRequestFunc func(clusterName, roleARN string, profile string) (string, error) +type getSignedRequestFunc func(ctx context.Context, clusterName, roleARN string, profile string) (string, error) func getSignedRequestWithRetry(ctx context.Context, timeout, interval time.Duration, clusterName, roleARN string, profile string, fn getSignedRequestFunc) (string, error) { ctx, cancel := context.WithTimeout(ctx, timeout) defer cancel() for { - signed, err := fn(clusterName, roleARN, profile) + signed, err := fn(ctx, clusterName, roleARN, profile) if err == nil { return signed, nil } @@ -76,25 +78,53 @@ func getSignedRequestWithRetry(ctx context.Context, timeout, interval time.Durat } } -func getSignedRequest(clusterName, roleARN string, profile string) (string, error) { - sess, err := session.NewSessionWithOptions(session.Options{ - Profile: profile, - }) +func getSignedRequest(ctx context.Context, clusterName, roleARN string, profile string) (string, error) { + cfg, err := loadAWSConfig(ctx, profile) if err != nil { - return "", fmt.Errorf("error creating new AWS session: %w", err) + return "", err } - stsAPI := sts.New(sess) + return getSignedRequestWithConfig(ctx, clusterName, roleARN, cfg) +} + +func loadAWSConfig(ctx context.Context, profile string) (aws.Config, error) { + var opts []func(*config.LoadOptions) error + if profile != "" { + opts = append(opts, config.WithSharedConfigProfile(profile)) + } + cfg, err := config.LoadDefaultConfig(ctx, opts...) + if err != nil { + return aws.Config{}, fmt.Errorf("error loading AWS configuration: %w", err) + } + return cfg, nil +} + +// getSignedRequestWithConfig presigns GetCallerIdentity using the given config. Used by getSignedRequest and by tests +// that inject a config with static credentials to exercise the roleARN path without real AWS credentials. +func getSignedRequestWithConfig(ctx context.Context, clusterName, roleARN string, cfg aws.Config) (string, error) { + // Use PresignOptions.ClientOptions + SetHeaderValue (same as aws-iam-authenticator) so the + // canonical request matches what EKS sends when validating. Build middleware can produce + // a different canonical form and thus an invalid signature for EKS. + // See kubernetes-sigs/aws-iam-authenticator pkg/token/token.go GetWithSTS(). + client := sts.NewFromConfig(cfg) if roleARN != "" { - creds := stscreds.NewCredentials(sess, roleARN) - stsAPI = sts.New(sess, &aws.Config{Credentials: creds}) + appCreds := stscreds.NewAssumeRoleProvider(client, roleARN) + cfg.Credentials = aws.NewCredentialsCache(appCreds) + client = sts.NewFromConfig(cfg) } - request, _ := stsAPI.GetCallerIdentityRequest(&sts.GetCallerIdentityInput{}) - request.HTTPRequest.Header.Add(clusterIDHeader, clusterName) - signed, err := request.Presign(requestPresignParam) + + presignClient := sts.NewPresignClient(client) + presigned, err := presignClient.PresignGetCallerIdentity(ctx, &sts.GetCallerIdentityInput{}, + func(presignOptions *sts.PresignOptions) { + presignOptions.ClientOptions = append(presignOptions.ClientOptions, func(stsOptions *sts.Options) { + stsOptions.APIOptions = append(stsOptions.APIOptions, + smithyhttp.SetHeaderValue(clusterIDHeader, clusterName), + smithyhttp.SetHeaderValue("X-Amz-Expires", strconv.Itoa(requestPresignParam))) + }) + }) if err != nil { return "", fmt.Errorf("error presigning AWS request: %w", err) } - return signed, nil + return presigned.URL, nil } func formatJSON(token string, expiration time.Time) string { diff --git a/cmd/argocd-k8s-auth/commands/aws_test.go b/cmd/argocd-k8s-auth/commands/aws_test.go index 487864418c..e1a2879e58 100644 --- a/cmd/argocd-k8s-auth/commands/aws_test.go +++ b/cmd/argocd-k8s-auth/commands/aws_test.go @@ -1,14 +1,60 @@ package commands import ( + "context" "errors" "testing" "time" + "github.com/aws/aws-sdk-go-v2/config" + "github.com/aws/aws-sdk-go-v2/credentials" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) +func TestGetSignedRequest(t *testing.T) { + t.Parallel() + + t.Run("returns error when context is cancelled", func(t *testing.T) { + t.Parallel() + ctx, cancel := context.WithCancel(context.Background()) + cancel() + + url, err := getSignedRequest(ctx, "my-cluster", "", "") + + require.ErrorIs(t, err, context.Canceled) + assert.Empty(t, url) + }) + + t.Run("returns error for non-existent profile", func(t *testing.T) { + t.Parallel() + ctx := context.Background() + profile := "argocd-k8s-auth-test-nonexistent-profile-12345" + + url, err := getSignedRequest(ctx, "my-cluster", "", profile) + + require.Error(t, err) + assert.Empty(t, url) + assert.Contains(t, err.Error(), "configuration", "error should mention configuration load failed") + }) + + t.Run("returns error when roleARN is provided and assume role fails", func(t *testing.T) { + t.Parallel() + ctx := context.Background() + cfg, err := config.LoadDefaultConfig(ctx, + config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider("test", "test", "")), + config.WithRegion("us-east-1"), + ) + require.NoError(t, err) + + url, err := getSignedRequestWithConfig(ctx, "my-cluster", "arn:aws:iam::123456789012:role/NonExistentRole", cfg) + + require.Error(t, err) + assert.Empty(t, url) + assert.Contains(t, err.Error(), "presigning", "error should mention presigning failed when assume role is used") + }) +} + func TestGetSignedRequestWithRetry(t *testing.T) { t.Parallel() @@ -72,7 +118,7 @@ type signedRequestMock struct { returnFunc func(m *signedRequestMock) (string, error) } -func (m *signedRequestMock) getSignedRequestMock(_, _ string, _ string) (string, error) { +func (m *signedRequestMock) getSignedRequestMock(_ context.Context, _, _ string, _ string) (string, error) { m.getSignedRequestCalls++ return m.returnFunc(m) } diff --git a/cmd/argocd-notification/commands/controller.go b/cmd/argocd-notification/commands/argocd_notification.go similarity index 98% rename from cmd/argocd-notification/commands/controller.go rename to cmd/argocd-notification/commands/argocd_notification.go index 1642bab9c4..e59579d811 100644 --- a/cmd/argocd-notification/commands/controller.go +++ b/cmd/argocd-notification/commands/argocd_notification.go @@ -52,7 +52,7 @@ func NewCommand() *cobra.Command { selfServiceNotificationEnabled bool ) command := cobra.Command{ - Use: "controller", + Use: common.CommandNotifications, Short: "Starts Argo CD Notifications controller", RunE: func(_ *cobra.Command, _ []string) error { ctx, cancel := context.WithCancel(context.Background()) @@ -150,13 +150,11 @@ func NewCommand() *cobra.Command { sigCh := make(chan os.Signal, 1) signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM) wg := sync.WaitGroup{} - wg.Add(1) - go func() { - defer wg.Done() + wg.Go(func() { s := <-sigCh log.Printf("got signal %v, attempting graceful shutdown", s) cancel() - }() + }) go ctrl.Run(ctx, processorsCount) <-ctx.Done() diff --git a/cmd/argocd-repo-server/commands/argocd_repo_server.go b/cmd/argocd-repo-server/commands/argocd_repo_server.go index de2c9f39ba..5ee8a40fa8 100644 --- a/cmd/argocd-repo-server/commands/argocd_repo_server.go +++ b/cmd/argocd-repo-server/commands/argocd_repo_server.go @@ -34,15 +34,11 @@ import ( "github.com/argoproj/argo-cd/v3/util/gpg" "github.com/argoproj/argo-cd/v3/util/healthz" utilio "github.com/argoproj/argo-cd/v3/util/io" + "github.com/argoproj/argo-cd/v3/util/profile" "github.com/argoproj/argo-cd/v3/util/tls" traceutil "github.com/argoproj/argo-cd/v3/util/trace" ) -const ( - // CLIName is the name of the CLI - cliName = "argocd-repo-server" -) - var ( gnuPGSourcePath = env.StringFromEnv(common.EnvGPGDataPath, "/app/config/gpg/source") pauseGenerationAfterFailedGenerationAttempts = env.ParseNumFromEnv(common.EnvPauseGenerationAfterFailedAttempts, 3, 0, math.MaxInt32) @@ -84,7 +80,7 @@ func NewCommand() *cobra.Command { enableBuiltinGitConfig bool ) command := cobra.Command{ - Use: cliName, + Use: common.CommandRepoServer, Short: "Run ArgoCD Repository Server", Long: "ArgoCD Repository Server is an internal service which maintains a local cache of the Git repository holding the application manifests, and is responsible for generating and returning the Kubernetes manifests. This command runs Repository Server in the foreground. It can be configured by following options.", DisableAutoGenTag: true, @@ -177,7 +173,8 @@ func NewCommand() *cobra.Command { listener, err := lc.Listen(ctx, "tcp", fmt.Sprintf("%s:%d", listenHost, listenPort)) errors.CheckError(err) - healthz.ServeHealthCheck(http.DefaultServeMux, func(r *http.Request) error { + mux := http.NewServeMux() + healthz.ServeHealthCheck(mux, func(r *http.Request) error { if val, ok := r.URL.Query()["full"]; ok && len(val) > 0 && val[0] == "true" { // connect to itself to make sure repo server is able to serve connection // used by liveness probe to auto restart repo server @@ -199,8 +196,9 @@ func NewCommand() *cobra.Command { } return nil }) - http.Handle("/metrics", metricsServer.GetHandler()) - go func() { errors.CheckError(http.ListenAndServe(fmt.Sprintf("%s:%d", metricsHost, metricsPort), nil)) }() + mux.Handle("/metrics", metricsServer.GetHandler()) + profile.RegisterProfiler(mux) + go func() { errors.CheckError(http.ListenAndServe(fmt.Sprintf("%s:%d", metricsHost, metricsPort), mux)) }() go func() { errors.CheckError(askPassServer.Run()) }() if gpg.IsGPGEnabled() { @@ -225,13 +223,11 @@ func NewCommand() *cobra.Command { sigCh := make(chan os.Signal, 1) signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM) wg := sync.WaitGroup{} - wg.Add(1) - go func() { + wg.Go(func() { s := <-sigCh log.Printf("got signal %v, attempting graceful shutdown", s) grpc.GracefulStop() - wg.Done() - }() + }) log.Println("starting grpc server") err = grpc.Serve(listener) diff --git a/cmd/argocd-server/commands/argocd_server.go b/cmd/argocd-server/commands/argocd_server.go index db01b05905..70346c0c45 100644 --- a/cmd/argocd-server/commands/argocd_server.go +++ b/cmd/argocd-server/commands/argocd_server.go @@ -101,7 +101,7 @@ func NewCommand() *cobra.Command { enableK8sEvent []string ) command := &cobra.Command{ - Use: cliName, + Use: common.CommandServer, Short: "Run the ArgoCD API server", Long: "The API server is a gRPC/REST server which exposes the API consumed by the Web UI, CLI, and CI/CD systems. This command runs API server in the foreground. It can be configured by following options.", DisableAutoGenTag: true, @@ -307,7 +307,7 @@ func NewCommand() *cobra.Command { command.Flags().BoolVar(&disableAuth, "disable-auth", env.ParseBoolFromEnv("ARGOCD_SERVER_DISABLE_AUTH", false), "Disable client authentication") command.Flags().StringVar(&contentTypes, "api-content-types", env.StringFromEnv("ARGOCD_API_CONTENT_TYPES", "application/json", env.StringFromEnvOpts{AllowEmpty: true}), "Semicolon separated list of allowed content types for non GET api requests. Any content type is allowed if empty.") command.Flags().BoolVar(&enableGZip, "enable-gzip", env.ParseBoolFromEnv("ARGOCD_SERVER_ENABLE_GZIP", true), "Enable GZIP compression") - command.AddCommand(cli.NewVersionCmd(cliName)) + command.AddCommand(cli.NewVersionCmd(common.CommandServer)) command.Flags().StringVar(&listenHost, "address", env.StringFromEnv("ARGOCD_SERVER_LISTEN_ADDRESS", common.DefaultAddressAPIServer), "Listen on given address") command.Flags().IntVar(&listenPort, "port", common.DefaultPortAPIServer, "Listen on given port") command.Flags().StringVar(&metricsHost, env.StringFromEnv("ARGOCD_SERVER_METRICS_LISTEN_ADDRESS", "metrics-address"), common.DefaultAddressAPIServerMetrics, "Listen for metrics on given address") diff --git a/cmd/argocd-server/commands/common.go b/cmd/argocd-server/commands/common.go deleted file mode 100644 index 3d7848107d..0000000000 --- a/cmd/argocd-server/commands/common.go +++ /dev/null @@ -1,6 +0,0 @@ -package commands - -const ( - // cliName is the name of the CLI - cliName = "argocd-server" -) diff --git a/cmd/argocd/commands/admin/admin.go b/cmd/argocd/commands/admin/admin.go index cdf04597e6..ded81fe563 100644 --- a/cmd/argocd/commands/admin/admin.go +++ b/cmd/argocd/commands/admin/admin.go @@ -183,9 +183,9 @@ func getAdditionalNamespaces(ctx context.Context, configMapsClient dynamic.Resou namespacesListFromString := func(namespaces string) []string { listOfNamespaces := []string{} - ss := strings.Split(namespaces, ",") + ss := strings.SplitSeq(namespaces, ",") - for _, namespace := range ss { + for namespace := range ss { if namespace != "" { listOfNamespaces = append(listOfNamespaces, strings.TrimSpace(namespace)) } diff --git a/cmd/argocd/commands/admin/app.go b/cmd/argocd/commands/admin/app.go index efab8d7165..b0f6ccd9c5 100644 --- a/cmd/argocd/commands/admin/app.go +++ b/cmd/argocd/commands/admin/app.go @@ -10,8 +10,8 @@ import ( "sort" "time" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/spf13/cobra" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/cmd/argocd/commands/admin/app_test.go b/cmd/argocd/commands/admin/app_test.go index 274bbe1148..b8ee58db2b 100644 --- a/cmd/argocd/commands/admin/app_test.go +++ b/cmd/argocd/commands/admin/app_test.go @@ -3,9 +3,9 @@ package admin import ( "testing" - clustermocks "github.com/argoproj/gitops-engine/pkg/cache/mocks" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + clustermocks "github.com/argoproj/argo-cd/gitops-engine/pkg/cache/mocks" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" diff --git a/cmd/argocd/commands/admin/backup.go b/cmd/argocd/commands/admin/backup.go index 9fb37a3097..d6858e8c24 100644 --- a/cmd/argocd/commands/admin/backup.go +++ b/cmd/argocd/commands/admin/backup.go @@ -8,7 +8,7 @@ import ( "strings" "time" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" apierrors "k8s.io/apimachinery/pkg/api/errors" diff --git a/cmd/argocd/commands/admin/backup_test.go b/cmd/argocd/commands/admin/backup_test.go index 381a442863..7a5904444a 100644 --- a/cmd/argocd/commands/admin/backup_test.go +++ b/cmd/argocd/commands/admin/backup_test.go @@ -7,7 +7,7 @@ import ( "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" "github.com/argoproj/argo-cd/v3/util/security" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/cmd/argocd/commands/admin/cluster.go b/cmd/argocd/commands/admin/cluster.go index 64e69240a5..a2c79456c3 100644 --- a/cmd/argocd/commands/admin/cluster.go +++ b/cmd/argocd/commands/admin/cluster.go @@ -10,7 +10,7 @@ import ( "text/tabwriter" "time" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/redis/go-redis/v9" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -128,12 +128,9 @@ func loadClusters(ctx context.Context, kubeClient kubernetes.Interface, appClien batchSize := 10 batchesCount := int(math.Ceil(float64(len(clusters)) / float64(batchSize))) - for batchNum := 0; batchNum < batchesCount; batchNum++ { + for batchNum := range batchesCount { batchStart := batchSize * batchNum - batchEnd := batchSize * (batchNum + 1) - if batchEnd > len(clustersList.Items) { - batchEnd = len(clustersList.Items) - } + batchEnd := min((batchSize * (batchNum + 1)), len(clustersList.Items)) batch := clustersList.Items[batchStart:batchEnd] _ = kube.RunAllAsync(len(batch), func(i int) error { clusterShard := 0 diff --git a/cmd/argocd/commands/admin/generatespec_utils.go b/cmd/argocd/commands/admin/generatespec_utils.go index 71b2883a98..19bd787574 100644 --- a/cmd/argocd/commands/admin/generatespec_utils.go +++ b/cmd/argocd/commands/admin/generatespec_utils.go @@ -7,7 +7,7 @@ import ( "io" "os" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" corev1 "k8s.io/api/core/v1" "sigs.k8s.io/yaml" diff --git a/cmd/argocd/commands/admin/project.go b/cmd/argocd/commands/admin/project.go index 9381ed4ad2..76bd5c380f 100644 --- a/cmd/argocd/commands/admin/project.go +++ b/cmd/argocd/commands/admin/project.go @@ -17,7 +17,7 @@ import ( utilio "github.com/argoproj/argo-cd/v3/util/io" "github.com/argoproj/argo-cd/v3/util/templates" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/spf13/cobra" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/client-go/tools/clientcmd" diff --git a/cmd/argocd/commands/admin/redis_initial_password.go b/cmd/argocd/commands/admin/redis_initial_password.go index 96c29017c7..ffb42c0202 100644 --- a/cmd/argocd/commands/admin/redis_initial_password.go +++ b/cmd/argocd/commands/admin/redis_initial_password.go @@ -23,7 +23,7 @@ func generateRandomPassword() (string, error) { const initialPasswordLength = 16 const letters = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz-" randBytes := make([]byte, initialPasswordLength) - for i := 0; i < initialPasswordLength; i++ { + for i := range initialPasswordLength { num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters)))) if err != nil { return "", err diff --git a/cmd/argocd/commands/admin/settings.go b/cmd/argocd/commands/admin/settings.go index a239de54b0..a3228eacc6 100644 --- a/cmd/argocd/commands/admin/settings.go +++ b/cmd/argocd/commands/admin/settings.go @@ -7,12 +7,13 @@ import ( "fmt" "os" "reflect" + "slices" "sort" "strconv" "strings" "text/tabwriter" - healthutil "github.com/argoproj/gitops-engine/pkg/health" + healthutil "github.com/argoproj/argo-cd/gitops-engine/pkg/health" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" corev1 "k8s.io/api/core/v1" @@ -271,9 +272,7 @@ func NewValidateSettingsCommand(cmdCtx commandContext) *cobra.Command { for k := range validatorsByGroup { allGroups = append(allGroups, k) } - sort.Slice(allGroups, func(i, j int) bool { - return allGroups[i] < allGroups[j] - }) + slices.Sort(allGroups) command := &cobra.Command{ Use: "validate", diff --git a/cmd/argocd/commands/admin/settings_rbac.go b/cmd/argocd/commands/admin/settings_rbac.go index e9469a61e6..86dc6f9171 100644 --- a/cmd/argocd/commands/admin/settings_rbac.go +++ b/cmd/argocd/commands/admin/settings_rbac.go @@ -322,6 +322,7 @@ func getPolicy(ctx context.Context, policyFile string, kubeClient kubernetes.Int } // getPolicyFromFile loads a RBAC policy from given path +// nolint:unparam // complains about the error being always nil which is false-positive func getPolicyFromFile(policyFile string) (string, string, string, error) { var ( userPolicy string diff --git a/cmd/argocd/commands/app.go b/cmd/argocd/commands/app.go index c4626081b7..aac78a7cc2 100644 --- a/cmd/argocd/commands/app.go +++ b/cmd/argocd/commands/app.go @@ -19,11 +19,11 @@ import ( "golang.org/x/sync/errgroup" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/sync/hook" - "github.com/argoproj/gitops-engine/pkg/sync/ignore" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/ignore" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" grpc_retry "github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/retry" "github.com/mattn/go-isatty" log "github.com/sirupsen/logrus" @@ -46,7 +46,7 @@ import ( argocdclient "github.com/argoproj/argo-cd/v3/pkg/apiclient" "github.com/argoproj/argo-cd/v3/pkg/apiclient/application" - resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource" + resourceutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/resource" clusterpkg "github.com/argoproj/argo-cd/v3/pkg/apiclient/cluster" projectpkg "github.com/argoproj/argo-cd/v3/pkg/apiclient/project" @@ -1988,8 +1988,8 @@ func parseSelectedResources(resources []string) ([]*argoappv1.SyncOperationResou for _, resource := range resources { isExcluded := false // check if the resource flag starts with a '!' - if strings.HasPrefix(resource, resourceExcludeIndicator) { - resource = strings.TrimPrefix(resource, resourceExcludeIndicator) + if after, ok := strings.CutPrefix(resource, resourceExcludeIndicator); ok { + resource = after isExcluded = true } fields := strings.Split(resource, resourceFieldDelimiter) @@ -3326,7 +3326,6 @@ func NewApplicationManifestsCommand(clientOpts *argocdclient.ClientOptions) *cob default: log.Fatalf("Unknown source type '%s'", source) } - for _, obj := range unstructureds { fmt.Println("---") yamlBytes, err := yaml.Marshal(obj) diff --git a/cmd/argocd/commands/app_resource_test.go b/cmd/argocd/commands/app_resource_test.go index c840d3ad3a..8d6a63c55b 100644 --- a/cmd/argocd/commands/app_resource_test.go +++ b/cmd/argocd/commands/app_resource_test.go @@ -43,9 +43,49 @@ func TestPrintTreeViewAppResources(t *testing.T) { printTreeViewAppResourcesNotOrphaned(nodeMapping, mapParentToChild, parentNode, w) require.NoError(t, w.Flush()) output := buf.String() - + t.Logf("Output:\n%s", output) assert.Contains(t, output, "Rollout") assert.Contains(t, output, "argoproj.io") + assert.Contains(t, output, "└─apps ReplicaSet sandbox-rollout-numalogic-demo numalogic-rollout-demo-5dcd5457d5 No") + assert.Contains(t, output, " └─ Pod sandbox-rollout-numalogic-demo numalogic-rollout-demo-5dcd5457d5-6trpt No") +} + +func TestPrintTreeViewAppResourcesWithMultipleChildren(t *testing.T) { + var nodes [4]v1alpha1.ResourceNode + // Parent + nodes[0].ResourceRef = v1alpha1.ResourceRef{Group: "argoproj.io", Kind: "Rollout", Namespace: "ns", Name: "rollout", UID: "root"} + // Child 1 + nodes[1].ResourceRef = v1alpha1.ResourceRef{Group: "apps", Kind: "ReplicaSet", Namespace: "ns", Name: "rs1", UID: "rs1"} + nodes[1].ParentRefs = []v1alpha1.ResourceRef{{UID: "root"}} + // Child 2 + nodes[2].ResourceRef = v1alpha1.ResourceRef{Group: "apps", Kind: "ReplicaSet", Namespace: "ns", Name: "rs2", UID: "rs2"} + nodes[2].ParentRefs = []v1alpha1.ResourceRef{{UID: "root"}} + // Grandchild + nodes[3].ResourceRef = v1alpha1.ResourceRef{Group: "", Kind: "Pod", Namespace: "ns", Name: "pod1", UID: "pod1"} + nodes[3].ParentRefs = []v1alpha1.ResourceRef{{UID: "rs1"}} + + nodeMapping := make(map[string]v1alpha1.ResourceNode) + mapParentToChild := make(map[string][]string) + parentNode := make(map[string]struct{}) + for _, node := range nodes { + nodeMapping[node.UID] = node + if len(node.ParentRefs) > 0 { + mapParentToChild[node.ParentRefs[0].UID] = append(mapParentToChild[node.ParentRefs[0].UID], node.UID) + } else { + parentNode[node.UID] = struct{}{} + } + } + buf := &bytes.Buffer{} + w := tabwriter.NewWriter(buf, 0, 0, 2, ' ', 0) + + printTreeViewAppResourcesNotOrphaned(nodeMapping, mapParentToChild, parentNode, w) + require.NoError(t, w.Flush()) + output := buf.String() + t.Logf("Output:\n%s", output) + + assert.Contains(t, output, "├─apps ReplicaSet ns rs1") + assert.Contains(t, output, "│ └─ Pod ns pod1") + assert.Contains(t, output, "└─apps ReplicaSet ns rs2") } func TestPrintTreeViewDetailedAppResources(t *testing.T) { @@ -82,10 +122,11 @@ func TestPrintTreeViewDetailedAppResources(t *testing.T) { printDetailedTreeViewAppResourcesNotOrphaned(nodeMapping, mapParentToChild, parentNode, w) require.NoError(t, w.Flush()) output := buf.String() + t.Logf("Output:\n%s", output) - assert.Contains(t, output, "Rollout") - assert.Contains(t, output, "Degraded") - assert.Contains(t, output, "Readiness Gate failed") + assert.Contains(t, output, "argoproj.io Rollout sandbox-rollout-numalogic-demo numalogic-rollout-demo No Degraded Readiness Gate failed") + assert.Contains(t, output, "└─apps ReplicaSet sandbox-rollout-numalogic-demo numalogic-rollout-demo-5dcd5457d5 No") + assert.Contains(t, output, " └─ Pod sandbox-rollout-numalogic-demo numalogic-rollout-demo-5dcd5457d5-6trpt No") } func TestPrintResourcesTree(t *testing.T) { diff --git a/cmd/argocd/commands/app_resources.go b/cmd/argocd/commands/app_resources.go index 1013e4bd9a..70c83ece17 100644 --- a/cmd/argocd/commands/app_resources.go +++ b/cmd/argocd/commands/app_resources.go @@ -10,6 +10,8 @@ import ( "gopkg.in/yaml.v3" + "github.com/argoproj/argo-cd/v3/util/templates" + "github.com/argoproj/argo-cd/v3/cmd/argocd/commands/utils" "github.com/argoproj/argo-cd/v3/cmd/util" "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" @@ -87,7 +89,7 @@ func NewApplicationGetResourceCommand(clientOpts *argocdclient.ClientOptions) *c // Get manifests of resources // If resource name is "" find all resources of that kind var resources []unstructured.Unstructured - var fetchedStr string + var resourceNames []string for _, r := range tree.Nodes { if (resourceName != "" && r.Name != resourceName) || (group != "" && r.Group != group) || r.Kind != kind { continue @@ -117,14 +119,11 @@ func NewApplicationGetResourceCommand(clientOpts *argocdclient.ClientOptions) *c obj = filterFieldsFromObject(obj, filteredFields) } - fetchedStr += obj.GetName() + ", " + resourceNames = append(resourceNames, obj.GetName()) resources = append(resources, *obj) } + fetchedStr := strings.Join(resourceNames, ", ") printManifests(&resources, len(filteredFields) > 0, resourceName == "", output) - - if fetchedStr != "" { - fetchedStr = strings.TrimSuffix(fetchedStr, ", ") - } log.Infof("Resources '%s' fetched", fetchedStr) } @@ -533,7 +532,20 @@ func NewApplicationListResourcesCommand(clientOpts *argocdclient.ClientOptions) ) command := &cobra.Command{ Use: "resources APPNAME", - Short: "List resource of application", + Short: "List resources of application", + Example: templates.Examples(` + # List first-level resources of application + argocd app resources my-app --refresh + + # List only the orphaned resources of application + argocd app resources my-app --orphaned + + # Shows resource hierarchy with parent-child relationships + argocd app resources my-app --output tree + + # Shows resource hierarchy with parent-child relationships including information about age, health and reason + argocd app resources my-app --output tree=detailed + `), Run: func(c *cobra.Command, args []string) { ctx := c.Context() if len(args) != 1 { @@ -554,7 +566,9 @@ func NewApplicationListResourcesCommand(clientOpts *argocdclient.ClientOptions) }, } command.Flags().BoolVar(&orphaned, "orphaned", false, "Lists only orphaned resources") - command.Flags().StringVar(&output, "output", "", "Provides the tree view of the resources") + command.Flags().StringVar(&output, "output", "", `Output format. One of: tree|tree=detailed. + tree: Shows resource hierarchy with parent-child relationships + tree=detailed: Same as tree, but includes AGE, HEALTH, and REASON columns`) command.Flags().StringVar(&project, "project", "", `The name of the application's project - specifying this allows the command to report "not found" instead of "permission denied" if the app does not exist`) return command } diff --git a/cmd/argocd/commands/app_test.go b/cmd/argocd/commands/app_test.go index 4f983400c0..f34e78f909 100644 --- a/cmd/argocd/commands/app_test.go +++ b/cmd/argocd/commands/app_test.go @@ -12,8 +12,8 @@ import ( "testing" "time" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/coreos/go-oidc/v3/oidc" "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" diff --git a/cmd/argocd/commands/cluster.go b/cmd/argocd/commands/cluster.go index b887197527..7b5ade4d89 100644 --- a/cmd/argocd/commands/cluster.go +++ b/cmd/argocd/commands/cluster.go @@ -91,7 +91,7 @@ func NewClusterAddCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clie ) command := &cobra.Command{ Use: "add CONTEXT", - Short: cliName + " cluster add CONTEXT", + Short: common.CommandCLI + " cluster add CONTEXT", Run: func(c *cobra.Command, args []string) { ctx := c.Context() @@ -549,7 +549,7 @@ argocd cluster list -o server func NewClusterRotateAuthCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command { command := &cobra.Command{ Use: "rotate-auth SERVER/NAME", - Short: cliName + " cluster rotate-auth SERVER/NAME", + Short: common.CommandCLI + " cluster rotate-auth SERVER/NAME", Example: `argocd cluster rotate-auth https://12.34.567.89 argocd cluster rotate-auth cluster-name`, Run: func(c *cobra.Command, args []string) { diff --git a/cmd/argocd/commands/common.go b/cmd/argocd/commands/common.go index 9b924e063b..418bda0c7b 100644 --- a/cmd/argocd/commands/common.go +++ b/cmd/argocd/commands/common.go @@ -9,8 +9,6 @@ import ( ) const ( - cliName = "argocd" - // DefaultSSOLocalPort is the localhost port to listen on for the temporary web server performing // the OAuth2 login flow. DefaultSSOLocalPort = 8085 diff --git a/cmd/argocd/commands/headless/headless.go b/cmd/argocd/commands/headless/headless.go index f9a744423b..fd120b2f88 100644 --- a/cmd/argocd/commands/headless/headless.go +++ b/cmd/argocd/commands/headless/headless.go @@ -302,7 +302,7 @@ func MaybeStartLocalServer(ctx context.Context, clientOpts *apiclient.ClientOpti } tries := 5 - for i := 0; i < tries; i++ { + for range tries { err = testAPI(ctx, clientOpts) if err == nil { break diff --git a/cmd/argocd/commands/plugin.go b/cmd/argocd/commands/plugin.go index aae8bba138..3e82d6a9e0 100644 --- a/cmd/argocd/commands/plugin.go +++ b/cmd/argocd/commands/plugin.go @@ -170,9 +170,9 @@ func (h *DefaultPluginHandler) ListAvailablePlugins() []string { // Check if the file is a valid argocd plugin pluginPrefix := prefix + "-" - if strings.HasPrefix(name, pluginPrefix) { + if after, ok := strings.CutPrefix(name, pluginPrefix); ok { // Extract the plugin command name (everything after the prefix) - pluginName := strings.TrimPrefix(name, pluginPrefix) + pluginName := after // Skip empty plugin names or names with path separators if pluginName == "" || strings.Contains(pluginName, "/") || strings.Contains(pluginName, "\\") { diff --git a/cmd/argocd/commands/projectwindows.go b/cmd/argocd/commands/projectwindows.go index 239b9e2c85..87d5dfe1a5 100644 --- a/cmd/argocd/commands/projectwindows.go +++ b/cmd/argocd/commands/projectwindows.go @@ -362,7 +362,7 @@ argocd proj windows list test-project`, func printSyncWindows(proj *v1alpha1.AppProject) { w := tabwriter.NewWriter(os.Stdout, 0, 0, 2, ' ', 0) var fmtStr string - headers := []any{"ID", "STATUS", "KIND", "SCHEDULE", "DURATION", "APPLICATIONS", "NAMESPACES", "CLUSTERS", "MANUALSYNC", "TIMEZONE"} + headers := []any{"ID", "STATUS", "KIND", "SCHEDULE", "DURATION", "APPLICATIONS", "NAMESPACES", "CLUSTERS", "MANUALSYNC", "TIMEZONE", "USEANDOPERATOR"} fmtStr = strings.Repeat("%s\t", len(headers)) + "\n" fmt.Fprintf(w, fmtStr, headers...) if proj.Spec.SyncWindows.HasWindows() { diff --git a/cmd/argocd/commands/projectwindows_test.go b/cmd/argocd/commands/projectwindows_test.go new file mode 100644 index 0000000000..069dd49e6d --- /dev/null +++ b/cmd/argocd/commands/projectwindows_test.go @@ -0,0 +1,40 @@ +package commands + +import ( + "testing" + + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" +) + +func TestPrintSyncWindows(t *testing.T) { + proj := &v1alpha1.AppProject{ + ObjectMeta: metav1.ObjectMeta{Name: "test-project"}, + Spec: v1alpha1.AppProjectSpec{ + SyncWindows: v1alpha1.SyncWindows{ + { + Kind: "allow", + Schedule: "* * * * *", + Duration: "1h", + Applications: []string{"app1"}, + Namespaces: []string{"ns1"}, + Clusters: []string{"cluster1"}, + ManualSync: true, + UseAndOperator: true, + }, + }, + }, + } + + output, err := captureOutput(func() error { + printSyncWindows(proj) + return nil + }) + require.NoError(t, err) + t.Log(output) + assert.Contains(t, output, "ID STATUS KIND SCHEDULE DURATION APPLICATIONS NAMESPACES CLUSTERS MANUALSYNC TIMEZONE USEANDOPERATOR") + assert.Contains(t, output, "0 Active allow * * * * * 1h app1 ns1 cluster1 Enabled Enabled") +} diff --git a/cmd/argocd/commands/root.go b/cmd/argocd/commands/root.go index c4c82cd4d0..0b82e71286 100644 --- a/cmd/argocd/commands/root.go +++ b/cmd/argocd/commands/root.go @@ -37,7 +37,7 @@ func NewCommand() *cobra.Command { ) command := &cobra.Command{ - Use: cliName, + Use: common.CommandCLI, Short: "argocd controls a Argo CD server", Run: func(c *cobra.Command, args []string) { c.HelpFunc()(c, args) diff --git a/cmd/argocd/commands/tree.go b/cmd/argocd/commands/tree.go index a7e7a19e29..0eac0e2d9a 100644 --- a/cmd/argocd/commands/tree.go +++ b/cmd/argocd/commands/tree.go @@ -6,7 +6,7 @@ import ( "text/tabwriter" "time" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" "k8s.io/apimachinery/pkg/util/duration" "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" @@ -15,7 +15,6 @@ import ( const ( firstElemPrefix = `├─` lastElemPrefix = `└─` - indent = " " pipe = `│ ` ) @@ -75,9 +74,7 @@ func detailedTreeViewAppGet(prefix string, uidToNodeMap map[string]v1alpha1.Reso } func treeViewAppResourcesNotOrphaned(prefix string, uidToNodeMap map[string]v1alpha1.ResourceNode, parentChildMap map[string][]string, parent v1alpha1.ResourceNode, w *tabwriter.Writer) { - if len(parent.ParentRefs) == 0 { - _, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", parent.Group, parent.Kind, parent.Namespace, parent.Name, "No") - } + _, _ = fmt.Fprintf(w, "%s%s\t%s\t%s\t%s\t%s\n", printPrefix(prefix), parent.Group, parent.Kind, parent.Namespace, parent.Name, "No") chs := parentChildMap[parent.UID] for i, child := range chs { var p string @@ -92,7 +89,7 @@ func treeViewAppResourcesNotOrphaned(prefix string, uidToNodeMap map[string]v1al } func treeViewAppResourcesOrphaned(prefix string, uidToNodeMap map[string]v1alpha1.ResourceNode, parentChildMap map[string][]string, parent v1alpha1.ResourceNode, w *tabwriter.Writer) { - _, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\n", parent.Group, parent.Kind, parent.Namespace, parent.Name, "Yes") + _, _ = fmt.Fprintf(w, "%s%s\t%s\t%s\t%s\t%s\n", printPrefix(prefix), parent.Group, parent.Kind, parent.Namespace, parent.Name, "Yes") chs := parentChildMap[parent.UID] for i, child := range chs { var p string @@ -107,14 +104,12 @@ func treeViewAppResourcesOrphaned(prefix string, uidToNodeMap map[string]v1alpha } func detailedTreeViewAppResourcesNotOrphaned(prefix string, uidToNodeMap map[string]v1alpha1.ResourceNode, parentChildMap map[string][]string, parent v1alpha1.ResourceNode, w *tabwriter.Writer) { - if len(parent.ParentRefs) == 0 { - healthStatus, reason := extractHealthStatusAndReason(parent) - age := "" - if parent.CreatedAt != nil { - age = duration.HumanDuration(time.Since(parent.CreatedAt.Time)) - } - _, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", parent.Group, parent.Kind, parent.Namespace, parent.Name, "No", age, healthStatus, reason) + healthStatus, reason := extractHealthStatusAndReason(parent) + age := "" + if parent.CreatedAt != nil { + age = duration.HumanDuration(time.Since(parent.CreatedAt.Time)) } + _, _ = fmt.Fprintf(w, "%s%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", printPrefix(prefix), parent.Group, parent.Kind, parent.Namespace, parent.Name, "No", age, healthStatus, reason) chs := parentChildMap[parent.UID] for i, child := range chs { var p string @@ -134,7 +129,7 @@ func detailedTreeViewAppResourcesOrphaned(prefix string, uidToNodeMap map[string if parent.CreatedAt != nil { age = duration.HumanDuration(time.Since(parent.CreatedAt.Time)) } - _, _ = fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", parent.Group, parent.Kind, parent.Namespace, parent.Name, "Yes", age, healthStatus, reason) + _, _ = fmt.Fprintf(w, "%s%s\t%s\t%s\t%s\t%s\t%s\t%s\t%s\n", printPrefix(prefix), parent.Group, parent.Kind, parent.Namespace, parent.Name, "Yes", age, healthStatus, reason) chs := parentChildMap[parent.UID] for i, child := range chs { diff --git a/cmd/argocd/commands/version.go b/cmd/argocd/commands/version.go index 47766d0240..d7e162bc5e 100644 --- a/cmd/argocd/commands/version.go +++ b/cmd/argocd/commands/version.go @@ -48,7 +48,7 @@ func NewVersionCmd(clientOpts *argocdclient.ClientOptions, serverVersion *versio v := make(map[string]any) if short { - v["client"] = map[string]string{cliName: cv.Version} + v["client"] = map[string]string{common.CommandCLI: cv.Version} } else { v["client"] = cv } @@ -103,7 +103,7 @@ func getServerVersion(ctx context.Context, options *argocdclient.ClientOptions, } func printClientVersion(version *common.Version, short bool) string { - output := fmt.Sprintf("%s: %s\n", cliName, version) + output := fmt.Sprintf("%s: %s\n", common.CommandCLI, version) if short { return output } diff --git a/cmd/main.go b/cmd/main.go index 0d836179dc..0af55af6b8 100644 --- a/cmd/main.go +++ b/cmd/main.go @@ -20,6 +20,7 @@ import ( reposerver "github.com/argoproj/argo-cd/v3/cmd/argocd-repo-server/commands" apiserver "github.com/argoproj/argo-cd/v3/cmd/argocd-server/commands" cli "github.com/argoproj/argo-cd/v3/cmd/argocd/commands" + "github.com/argoproj/argo-cd/v3/common" "github.com/argoproj/argo-cd/v3/util/log" ) @@ -43,33 +44,34 @@ func main() { isArgocdCLI := false switch binaryName { - case "argocd", "argocd-linux-amd64", "argocd-darwin-amd64", "argocd-windows-amd64.exe": + case common.CommandCLI: command = cli.NewCommand() isArgocdCLI = true - case "argocd-server": + case common.CommandServer: command = apiserver.NewCommand() - case "argocd-application-controller": + case common.CommandApplicationController: command = appcontroller.NewCommand() - case "argocd-repo-server": + case common.CommandRepoServer: command = reposerver.NewCommand() - case "argocd-cmp-server": + case common.CommandCMPServer: command = cmpserver.NewCommand() isArgocdCLI = true - case "argocd-commit-server": + case common.CommandCommitServer: command = commitserver.NewCommand() - case "argocd-dex": + case common.CommandDex: command = dex.NewCommand() - case "argocd-notifications": + case common.CommandNotifications: command = notification.NewCommand() - case "argocd-git-ask-pass": + case common.CommandGitAskPass: command = gitaskpass.NewCommand() isArgocdCLI = true - case "argocd-applicationset-controller": + case common.CommandApplicationSetController: command = applicationset.NewCommand() - case "argocd-k8s-auth": + case common.CommandK8sAuth: command = k8sauth.NewCommand() isArgocdCLI = true default: + // "argocd-linux-amd64", "argocd-darwin-amd64", "argocd-windows-amd64.exe" are also valid binary names command = cli.NewCommand() isArgocdCLI = true } diff --git a/cmd/util/app.go b/cmd/util/app.go index 74d014e16e..1d11a3372c 100644 --- a/cmd/util/app.go +++ b/cmd/util/app.go @@ -5,6 +5,7 @@ import ( stderrors "errors" "fmt" "io" + "maps" "net/url" "os" "strings" @@ -12,7 +13,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -240,8 +241,8 @@ func SetAppSpecOptions(flags *pflag.FlagSet, spec *argoappv1.ApplicationSpec, ap } for _, option := range appOpts.syncOptions { // `!` means remove the option - if strings.HasPrefix(option, "!") { - option = strings.TrimPrefix(option, "!") + if after, ok := strings.CutPrefix(option, "!"); ok { + option = after spec.SyncPolicy.SyncOptions = spec.SyncPolicy.SyncOptions.RemoveOption(option) } else { spec.SyncPolicy.SyncOptions = spec.SyncPolicy.SyncOptions.AddOption(option) @@ -847,13 +848,9 @@ func mergeLabels(app *argoappv1.Application, labels []string) { mergedLabels := make(map[string]string) - for name, value := range app.GetLabels() { - mergedLabels[name] = value - } + maps.Copy(mergedLabels, app.GetLabels()) - for name, value := range mapLabels { - mergedLabels[name] = value - } + maps.Copy(mergedLabels, mapLabels) app.SetLabels(mergedLabels) } diff --git a/cmd/util/applicationset.go b/cmd/util/applicationset.go index edf7718485..05a2ea4df3 100644 --- a/cmd/util/applicationset.go +++ b/cmd/util/applicationset.go @@ -5,7 +5,7 @@ import ( "net/url" "os" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" argoprojiov1alpha1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" "github.com/argoproj/argo-cd/v3/util/config" diff --git a/cmpserver/plugin/plugin.go b/cmpserver/plugin/plugin.go index f8b63b4f5b..5f307da378 100644 --- a/cmpserver/plugin/plugin.go +++ b/cmpserver/plugin/plugin.go @@ -24,7 +24,7 @@ import ( argoexec "github.com/argoproj/argo-cd/v3/util/exec" "github.com/argoproj/argo-cd/v3/util/io/files" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" securejoin "github.com/cyphar/filepath-securejoin" "github.com/mattn/go-zglob" log "github.com/sirupsen/logrus" diff --git a/cmpserver/plugin/plugin_unix.go b/cmpserver/plugin/plugin_unix.go index ea6b7b5493..be3ff6fa54 100644 --- a/cmpserver/plugin/plugin_unix.go +++ b/cmpserver/plugin/plugin_unix.go @@ -1,5 +1,4 @@ //go:build !windows -// +build !windows package plugin diff --git a/cmpserver/plugin/plugin_windows.go b/cmpserver/plugin/plugin_windows.go index b8873a9793..7e185cc5dd 100644 --- a/cmpserver/plugin/plugin_windows.go +++ b/cmpserver/plugin/plugin_windows.go @@ -1,5 +1,4 @@ //go:build windows -// +build windows package plugin diff --git a/commitserver/commit/addnote_race_test.go b/commitserver/commit/addnote_race_test.go index 2dd901855b..cdc30ccd40 100644 --- a/commitserver/commit/addnote_race_test.go +++ b/commitserver/commit/addnote_race_test.go @@ -35,7 +35,7 @@ func TestAddNoteConcurrentStaggered(t *testing.T) { // Create separate clones for concurrent operations cloneClients := make([]git.Client, 3) - for i := 0; i < 3; i++ { + for i := range 3 { cloneClients[i] = getClientForClone(t, remotePath) } @@ -43,7 +43,7 @@ func TestAddNoteConcurrentStaggered(t *testing.T) { var wg sync.WaitGroup errors := make([]error, 3) - for i := 0; i < 3; i++ { + for i := range 3 { wg.Add(1) go func(idx int) { defer wg.Done() @@ -81,7 +81,7 @@ func TestAddNoteConcurrentSimultaneous(t *testing.T) { // Create separate clones for concurrent operations cloneClients := make([]git.Client, 3) - for i := 0; i < 3; i++ { + for i := range 3 { cloneClients[i] = getClientForClone(t, remotePath) } @@ -89,7 +89,7 @@ func TestAddNoteConcurrentSimultaneous(t *testing.T) { var wg sync.WaitGroup startChan := make(chan struct{}) - for i := 0; i < 3; i++ { + for i := range 3 { wg.Add(1) go func(idx int) { defer wg.Done() diff --git a/common/common.go b/common/common.go index 8d5d1f2bd1..262a4fbd2b 100644 --- a/common/common.go +++ b/common/common.go @@ -17,10 +17,19 @@ import ( "k8s.io/client-go/kubernetes" ) -// Component names +// Argo CD component names const ( - ApplicationController = "argocd-application-controller" - ApplicationSetController = "argocd-applicationset-controller" + CommandCLI = "argocd" + CommandApplicationController = "argocd-application-controller" + CommandApplicationSetController = "argocd-applicationset-controller" + CommandServer = "argocd-server" + CommandCMPServer = "argocd-cmp-server" + CommandCommitServer = "argocd-commit-server" + CommandGitAskPass = "argocd-git-ask-pass" + CommandNotifications = "argocd-notifications" + CommandK8sAuth = "argocd-k8s-auth" + CommandDex = "argocd-dex" + CommandRepoServer = "argocd-repo-server" ) // Default service addresses and URLS of Argo CD internal services @@ -108,7 +117,6 @@ const ( // Argo CD application related constants const ( - // ArgoCDAdminUsername is the username of the 'admin' user ArgoCDAdminUsername = "admin" // ArgoCDUserAgentName is the default user-agent name used by the gRPC API client library and grpc-gateway diff --git a/common/common_test.go b/common/common_test.go index 87e0f3474e..8d9066cba5 100644 --- a/common/common_test.go +++ b/common/common_test.go @@ -85,7 +85,6 @@ func TestSetOptionalRedisPasswordFromKubeConfig(t *testing.T) { }, } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { t.Parallel() var ( diff --git a/controller/appcontroller.go b/controller/appcontroller.go index ec75d4e342..04ad9a48bf 100644 --- a/controller/appcontroller.go +++ b/controller/appcontroller.go @@ -5,6 +5,7 @@ import ( "encoding/json" stderrors "errors" "fmt" + "maps" "math" "math/rand" "net/http" @@ -16,12 +17,12 @@ import ( "sync" "time" - clustercache "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/health" - synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" - resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + clustercache "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + synccommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + resourceutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/resource" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" jsonpatch "github.com/evanphx/json-patch" log "github.com/sirupsen/logrus" "golang.org/x/sync/semaphore" @@ -205,7 +206,7 @@ func NewApplicationController( statusRefreshJitter: appResyncJitter, refreshRequestedApps: make(map[string]CompareWith), refreshRequestedAppsMutex: &sync.Mutex{}, - auditLogger: argo.NewAuditLogger(kubeClientset, common.ApplicationController, enableK8sEvent), + auditLogger: argo.NewAuditLogger(kubeClientset, common.CommandApplicationController, enableK8sEvent), settingsMgr: settingsMgr, selfHealTimeout: selfHealTimeout, selfHealBackoff: selfHealBackoff, @@ -927,14 +928,14 @@ func (ctrl *ApplicationController) Run(ctx context.Context, statusProcessors int go func() { errors.CheckError(ctrl.stateCache.Run(ctx)) }() go func() { errors.CheckError(ctrl.metricsServer.ListenAndServe()) }() - for i := 0; i < statusProcessors; i++ { + for range statusProcessors { go wait.Until(func() { for ctrl.processAppRefreshQueueItem() { } }, time.Second, ctx.Done()) } - for i := 0; i < operationProcessors; i++ { + for range operationProcessors { go wait.Until(func() { for ctrl.processAppOperationQueueItem() { } @@ -1137,13 +1138,13 @@ func (ctrl *ApplicationController) processProjectQueueItem() (processNext bool) } func (ctrl *ApplicationController) finalizeProjectDeletion(proj *appv1.AppProject) error { - apps, err := ctrl.appLister.Applications(ctrl.namespace).List(labels.Everything()) + apps, err := ctrl.appLister.List(labels.Everything()) if err != nil { return fmt.Errorf("error listing applications: %w", err) } appsCount := 0 for i := range apps { - if apps[i].Spec.GetProject() == proj.Name { + if apps[i].Spec.GetProject() == proj.Name && ctrl.isAppNamespaceAllowed(apps[i]) && proj.IsAppNamespacePermitted(apps[i], ctrl.namespace) { appsCount++ } } @@ -1559,8 +1560,18 @@ func (ctrl *ApplicationController) processRequestedAppOperation(app *appv1.Appli // if we just completed an operation, force a refresh so that UI will report up-to-date // sync/health information if _, err := cache.MetaNamespaceKeyFunc(app); err == nil { - // force app refresh with using CompareWithLatest comparison type and trigger app reconciliation loop - ctrl.requestAppRefresh(app.QualifiedName(), CompareWithLatestForceResolve.Pointer(), nil) + var compareWith CompareWith + if state.Operation.InitiatedBy.Automated { + // Do not force revision resolution on automated operations because + // this would cause excessive Ls-Remote requests on monorepo commits + compareWith = CompareWithLatest + } else { + // Force app refresh with using most recent resolved revision after sync, + // so UI won't show a just synced application being out of sync if it was + // synced after commit but before app. refresh (see #18153) + compareWith = CompareWithLatestForceResolve + } + ctrl.requestAppRefresh(app.QualifiedName(), compareWith.Pointer(), nil) } else { logCtx.WithError(err).Warn("Fails to requeue application") } @@ -2131,9 +2142,7 @@ func (ctrl *ApplicationController) persistAppStatus(orig *appv1.Application, new var newAnnotations map[string]string if orig.GetAnnotations() != nil { newAnnotations = make(map[string]string) - for k, v := range orig.GetAnnotations() { - newAnnotations[k] = v - } + maps.Copy(newAnnotations, orig.GetAnnotations()) delete(newAnnotations, appv1.AnnotationKeyRefresh) delete(newAnnotations, appv1.AnnotationKeyHydrate) } @@ -2374,7 +2383,7 @@ func (ctrl *ApplicationController) selfHealRemainingBackoff(app *appv1.Applicati backOff.Steps = selfHealAttemptsCount var delay time.Duration steps := backOff.Steps - for i := 0; i < steps; i++ { + for range steps { delay = backOff.Step() } if timeSinceOperation == nil { diff --git a/controller/appcontroller_test.go b/controller/appcontroller_test.go index a645698852..244a2e5345 100644 --- a/controller/appcontroller_test.go +++ b/controller/appcontroller_test.go @@ -9,9 +9,9 @@ import ( "testing" "time" - clustercache "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest" + clustercache "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/kubetest" "github.com/sirupsen/logrus" "github.com/stretchr/testify/require" "k8s.io/apimachinery/pkg/api/resource" @@ -24,9 +24,9 @@ import ( statecache "github.com/argoproj/argo-cd/v3/controller/cache" "github.com/argoproj/argo-cd/v3/controller/sharding" - "github.com/argoproj/gitops-engine/pkg/cache/mocks" - synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache/mocks" + synccommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" appsv1 "k8s.io/api/apps/v1" @@ -66,16 +66,17 @@ type namespacedResource struct { } type fakeData struct { - apps []runtime.Object - manifestResponse *apiclient.ManifestResponse - manifestResponses []*apiclient.ManifestResponse - managedLiveObjs map[kube.ResourceKey]*unstructured.Unstructured - namespacedResources map[kube.ResourceKey]namespacedResource - configMapData map[string]string - metricsCacheExpiration time.Duration - applicationNamespaces []string - updateRevisionForPathsResponse *apiclient.UpdateRevisionForPathsResponse - additionalObjs []runtime.Object + apps []runtime.Object + manifestResponse *apiclient.ManifestResponse + manifestResponses []*apiclient.ManifestResponse + managedLiveObjs map[kube.ResourceKey]*unstructured.Unstructured + namespacedResources map[kube.ResourceKey]namespacedResource + configMapData map[string]string + metricsCacheExpiration time.Duration + applicationNamespaces []string + updateRevisionForPathsResponse *apiclient.UpdateRevisionForPathsResponse + updateRevisionForPathsResponses []*apiclient.UpdateRevisionForPathsResponse + additionalObjs []runtime.Object } type MockKubectl struct { @@ -125,10 +126,20 @@ func newFakeControllerWithResync(ctx context.Context, data *fakeData, appResyncP } } - if revisionPathsErr != nil { - mockRepoClient.EXPECT().UpdateRevisionForPaths(mock.Anything, mock.Anything).Return(nil, revisionPathsErr) + if len(data.updateRevisionForPathsResponses) > 0 { + for _, response := range data.updateRevisionForPathsResponses { + if revisionPathsErr != nil { + mockRepoClient.EXPECT().UpdateRevisionForPaths(mock.Anything, mock.Anything).Return(response, revisionPathsErr) + } else { + mockRepoClient.EXPECT().UpdateRevisionForPaths(mock.Anything, mock.Anything).Return(response, nil) + } + } } else { - mockRepoClient.EXPECT().UpdateRevisionForPaths(mock.Anything, mock.Anything).Return(data.updateRevisionForPathsResponse, nil) + if revisionPathsErr != nil { + mockRepoClient.EXPECT().UpdateRevisionForPaths(mock.Anything, mock.Anything).Return(nil, revisionPathsErr) + } else { + mockRepoClient.EXPECT().UpdateRevisionForPaths(mock.Anything, mock.Anything).Return(data.updateRevisionForPathsResponse, nil) + } } mockRepoClientset := &mockrepoclient.Clientset{RepoServerServiceClient: mockRepoClient} @@ -2302,6 +2313,93 @@ func TestFinalizeProjectDeletion_DoesNotHaveApplications(t *testing.T) { }, receivedPatch) } +func TestFinalizeProjectDeletion_HasApplicationInOtherNamespace(t *testing.T) { + app := newFakeApp() + app.Namespace = "team-a" + proj := &v1alpha1.AppProject{ + ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: test.FakeArgoCDNamespace}, + Spec: v1alpha1.AppProjectSpec{ + SourceNamespaces: []string{"team-a"}, + }, + } + ctrl := newFakeController(t.Context(), &fakeData{ + apps: []runtime.Object{app, proj}, + applicationNamespaces: []string{"team-a"}, + }, nil) + + fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset) + patched := false + fakeAppCs.PrependReactor("patch", "*", func(_ kubetesting.Action) (handled bool, ret runtime.Object, err error) { + patched = true + return true, &v1alpha1.AppProject{}, nil + }) + + err := ctrl.finalizeProjectDeletion(proj) + require.NoError(t, err) + assert.False(t, patched) +} + +func TestFinalizeProjectDeletion_IgnoresAppsInUnmonitoredNamespace(t *testing.T) { + app := newFakeApp() + app.Namespace = "team-b" + proj := &v1alpha1.AppProject{ + ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: test.FakeArgoCDNamespace}, + } + ctrl := newFakeController(t.Context(), &fakeData{ + apps: []runtime.Object{app, proj}, + applicationNamespaces: []string{"team-a"}, + }, nil) + + fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset) + receivedPatch := map[string]any{} + fakeAppCs.PrependReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) { + if patchAction, ok := action.(kubetesting.PatchAction); ok { + require.NoError(t, json.Unmarshal(patchAction.GetPatch(), &receivedPatch)) + } + return true, &v1alpha1.AppProject{}, nil + }) + + err := ctrl.finalizeProjectDeletion(proj) + require.NoError(t, err) + assert.Equal(t, map[string]any{ + "metadata": map[string]any{ + "finalizers": nil, + }, + }, receivedPatch) +} + +func TestFinalizeProjectDeletion_IgnoresAppsNotPermittedByProject(t *testing.T) { + app := newFakeApp() + app.Namespace = "team-b" + proj := &v1alpha1.AppProject{ + ObjectMeta: metav1.ObjectMeta{Name: "default", Namespace: test.FakeArgoCDNamespace}, + Spec: v1alpha1.AppProjectSpec{ + SourceNamespaces: []string{"team-a"}, + }, + } + ctrl := newFakeController(t.Context(), &fakeData{ + apps: []runtime.Object{app, proj}, + applicationNamespaces: []string{"team-a", "team-b"}, + }, nil) + + fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset) + receivedPatch := map[string]any{} + fakeAppCs.PrependReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) { + if patchAction, ok := action.(kubetesting.PatchAction); ok { + require.NoError(t, json.Unmarshal(patchAction.GetPatch(), &receivedPatch)) + } + return true, &v1alpha1.AppProject{}, nil + }) + + err := ctrl.finalizeProjectDeletion(proj) + require.NoError(t, err) + assert.Equal(t, map[string]any{ + "metadata": map[string]any{ + "finalizers": nil, + }, + }, receivedPatch) +} + func TestProcessRequestedAppOperation_FailedNoRetries(t *testing.T) { app := newFakeApp() app.Spec.Project = "default" @@ -2546,6 +2644,41 @@ func TestProcessRequestedAppOperation_Successful(t *testing.T) { assert.Equal(t, CompareWithLatestForceResolve, level) } +func TestProcessRequestedAppAutomatedOperation_Successful(t *testing.T) { + app := newFakeApp() + app.Spec.Project = "default" + app.Operation = &v1alpha1.Operation{ + Sync: &v1alpha1.SyncOperation{}, + InitiatedBy: v1alpha1.OperationInitiator{ + Automated: true, + }, + } + ctrl := newFakeController(t.Context(), &fakeData{ + apps: []runtime.Object{app, &defaultProj}, + manifestResponses: []*apiclient.ManifestResponse{{ + Manifests: []string{}, + }}, + }, nil) + fakeAppCs := ctrl.applicationClientset.(*appclientset.Clientset) + receivedPatch := map[string]any{} + fakeAppCs.PrependReactor("patch", "*", func(action kubetesting.Action) (handled bool, ret runtime.Object, err error) { + if patchAction, ok := action.(kubetesting.PatchAction); ok { + require.NoError(t, json.Unmarshal(patchAction.GetPatch(), &receivedPatch)) + } + return true, &v1alpha1.Application{}, nil + }) + + ctrl.processRequestedAppOperation(app) + + phase, _, _ := unstructured.NestedString(receivedPatch, "status", "operationState", "phase") + message, _, _ := unstructured.NestedString(receivedPatch, "status", "operationState", "message") + assert.Equal(t, string(synccommon.OperationSucceeded), phase) + assert.Equal(t, "successfully synced (no more tasks)", message) + ok, level := ctrl.isRefreshRequested(ctrl.toAppKey(app.Name)) + assert.True(t, ok) + assert.Equal(t, CompareWithLatest, level) +} + func TestProcessRequestedAppOperation_SyncTimeout(t *testing.T) { testCases := []struct { name string diff --git a/controller/cache/cache.go b/controller/cache/cache.go index 8a7cff3438..dc66e786a6 100644 --- a/controller/cache/cache.go +++ b/controller/cache/cache.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "maps" "math" "net" "net/url" @@ -15,9 +16,9 @@ import ( "syscall" "time" - clustercache "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + clustercache "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" "golang.org/x/sync/semaphore" corev1 "k8s.io/api/core/v1" @@ -366,9 +367,7 @@ func getAppRecursive(r *clustercache.Resource, ns map[kube.ResourceKey]*clusterc gv := ownerRefGV(ownerRef) if parent, ok := ns[kube.NewResourceKey(gv.Group, ownerRef.Kind, r.Ref.Namespace, ownerRef.Name)]; ok { visitedBranch := make(map[kube.ResourceKey]bool, len(visited)) - for k, v := range visited { - visitedBranch[k] = v - } + maps.Copy(visitedBranch, visited) app, ok := getAppRecursive(parent, ns, visitedBranch) if app != "" || !ok { return app, ok diff --git a/controller/cache/cache_test.go b/controller/cache/cache_test.go index acbd7b86f0..4c2a89f5d7 100644 --- a/controller/cache/cache_test.go +++ b/controller/cache/cache_test.go @@ -18,10 +18,10 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" - "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/cache/mocks" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache/mocks" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/mock" "k8s.io/client-go/kubernetes/fake" diff --git a/controller/cache/info.go b/controller/cache/info.go index f58508cfb3..b8a1e4bf9f 100644 --- a/controller/cache/info.go +++ b/controller/cache/info.go @@ -9,8 +9,8 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime/schema" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/text" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/text" "github.com/cespare/xxhash/v2" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" diff --git a/controller/cache/info_test.go b/controller/cache/info_test.go index 69111586b6..87eca1cd37 100644 --- a/controller/cache/info_test.go +++ b/controller/cache/info_test.go @@ -4,7 +4,7 @@ import ( "sort" "testing" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" diff --git a/controller/cache/mocks/LiveStateCache.go b/controller/cache/mocks/LiveStateCache.go index 93b0260ba7..dda8f0a48a 100644 --- a/controller/cache/mocks/LiveStateCache.go +++ b/controller/cache/mocks/LiveStateCache.go @@ -7,10 +7,10 @@ package mocks import ( "context" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" cache0 "github.com/argoproj/argo-cd/v3/controller/cache" "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" - "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/utils/kube" mock "github.com/stretchr/testify/mock" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" diff --git a/controller/clusterinfoupdater.go b/controller/clusterinfoupdater.go index 65f4aed596..a7f8c504a8 100644 --- a/controller/clusterinfoupdater.go +++ b/controller/clusterinfoupdater.go @@ -7,8 +7,8 @@ import ( "github.com/argoproj/argo-cd/v3/common" - "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" diff --git a/controller/clusterinfoupdater_test.go b/controller/clusterinfoupdater_test.go index 8c66e1ce13..47f8364b72 100644 --- a/controller/clusterinfoupdater_test.go +++ b/controller/clusterinfoupdater_test.go @@ -21,7 +21,7 @@ import ( "github.com/argoproj/argo-cd/v3/util/db" "github.com/argoproj/argo-cd/v3/util/settings" - clustercache "github.com/argoproj/gitops-engine/pkg/cache" + clustercache "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "k8s.io/client-go/kubernetes/fake" diff --git a/controller/health.go b/controller/health.go index 6e418077ef..4b4ea2b26f 100644 --- a/controller/health.go +++ b/controller/health.go @@ -3,10 +3,10 @@ package controller import ( "fmt" - "github.com/argoproj/gitops-engine/pkg/health" - hookutil "github.com/argoproj/gitops-engine/pkg/sync/hook" - "github.com/argoproj/gitops-engine/pkg/sync/ignore" - kubeutil "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + hookutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/ignore" + kubeutil "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" "github.com/argoproj/argo-cd/v3/common" diff --git a/controller/health_test.go b/controller/health_test.go index 5a0eb1a3d9..d0b89cb330 100644 --- a/controller/health_test.go +++ b/controller/health_test.go @@ -6,9 +6,9 @@ import ( "testing" "time" - "github.com/argoproj/gitops-engine/pkg/health" - synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + synccommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/controller/hook.go b/controller/hook.go index 3a4a613880..db834388d1 100644 --- a/controller/hook.go +++ b/controller/hook.go @@ -5,10 +5,10 @@ import ( "fmt" "strings" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/sync/hook" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" diff --git a/controller/hydrator/hydrator.go b/controller/hydrator/hydrator.go index 98cc79ec0a..3ed6752879 100644 --- a/controller/hydrator/hydrator.go +++ b/controller/hydrator/hydrator.go @@ -384,7 +384,6 @@ func (h *Hydrator) hydrate(logCtx *log.Entry, apps []*appv1.Application, project var mu sync.Mutex for _, app := range apps[1:] { - app := app eg.Go(func() error { _, pathDetails, err = h.getManifests(ctx, app, targetRevision, projects[app.Spec.Project]) mu.Lock() diff --git a/controller/hydrator/hydrator_test.go b/controller/hydrator/hydrator_test.go index ef62d21448..7dd0afe5e5 100644 --- a/controller/hydrator/hydrator_test.go +++ b/controller/hydrator/hydrator_test.go @@ -17,7 +17,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/utils/ptr" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" commitclient "github.com/argoproj/argo-cd/v3/commitserver/apiclient" commitservermocks "github.com/argoproj/argo-cd/v3/commitserver/apiclient/mocks" diff --git a/controller/metrics/clustercollector.go b/controller/metrics/clustercollector.go index 1881ae6efe..a5afa5ea62 100644 --- a/controller/metrics/clustercollector.go +++ b/controller/metrics/clustercollector.go @@ -5,7 +5,7 @@ import ( "sync" "time" - "github.com/argoproj/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" "github.com/prometheus/client_golang/prometheus" log "github.com/sirupsen/logrus" diff --git a/controller/metrics/clustercollector_test.go b/controller/metrics/clustercollector_test.go index 5aff5a71fa..7778d59375 100644 --- a/controller/metrics/clustercollector_test.go +++ b/controller/metrics/clustercollector_test.go @@ -4,7 +4,7 @@ import ( "errors" "testing" - gitopsCache "github.com/argoproj/gitops-engine/pkg/cache" + gitopsCache "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" "github.com/stretchr/testify/mock" dbmocks "github.com/argoproj/argo-cd/v3/util/db/mocks" @@ -115,7 +115,6 @@ argocd_cluster_labels{label_env="production",label_team="team3",name="cluster3", } for _, c := range cases { - c := c t.Run(c.description, func(t *testing.T) { if !c.skip { cfg := TestMetricServerConfig{ diff --git a/controller/metrics/metrics.go b/controller/metrics/metrics.go index 64e91c7a79..1652af7f95 100644 --- a/controller/metrics/metrics.go +++ b/controller/metrics/metrics.go @@ -10,7 +10,7 @@ import ( "strconv" "time" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promhttp" "github.com/robfig/cron/v3" @@ -300,12 +300,12 @@ func (m *MetricsServer) IncKubernetesRequest(app *argoappv1.Application, server, } func (m *MetricsServer) IncRedisRequest(failed bool) { - m.redisRequestCounter.WithLabelValues(m.hostname, common.ApplicationController, strconv.FormatBool(failed)).Inc() + m.redisRequestCounter.WithLabelValues(m.hostname, common.CommandApplicationController, strconv.FormatBool(failed)).Inc() } // ObserveRedisRequestDuration observes redis request duration func (m *MetricsServer) ObserveRedisRequestDuration(duration time.Duration) { - m.redisRequestHistogram.WithLabelValues(m.hostname, common.ApplicationController).Observe(duration.Seconds()) + m.redisRequestHistogram.WithLabelValues(m.hostname, common.CommandApplicationController).Observe(duration.Seconds()) } // ObserveResourceEventsProcessingDuration observes resource events processing duration diff --git a/controller/metrics/metrics_test.go b/controller/metrics/metrics_test.go index 524ab98f79..1135600eb5 100644 --- a/controller/metrics/metrics_test.go +++ b/controller/metrics/metrics_test.go @@ -13,8 +13,8 @@ import ( "github.com/argoproj/argo-cd/v3/util/db/mocks" - gitopsCache "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/sync/common" + gitopsCache "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -410,7 +410,6 @@ argocd_app_labels{label_non_existing="",name="my-app-3",namespace="argocd",proje } for _, c := range cases { - c := c t.Run(c.description, func(t *testing.T) { testMetricServer(t, c.applications, c.responseContains, c.metricLabels, []string{}) }) @@ -464,7 +463,6 @@ argocd_app_condition{condition="ExcludedResourceWarning",name="my-app-4",namespa } for _, c := range cases { - c := c t.Run(c.description, func(t *testing.T) { testMetricServer(t, c.applications, c.responseContains, []string{}, c.metricConditions) }) @@ -506,7 +504,7 @@ argocd_app_sync_total{dest_server="https://localhost:6443",dry_run="false",name= // assertMetricsPrinted asserts every line in the expected lines appears in the body func assertMetricsPrinted(t *testing.T, expectedLines, body string) { t.Helper() - for _, line := range strings.Split(expectedLines, "\n") { + for line := range strings.SplitSeq(expectedLines, "\n") { if line == "" { continue } @@ -517,7 +515,7 @@ func assertMetricsPrinted(t *testing.T, expectedLines, body string) { // assertMetricsNotPrinted func assertMetricsNotPrinted(t *testing.T, expectedLines, body string) { t.Helper() - for _, line := range strings.Split(expectedLines, "\n") { + for line := range strings.SplitSeq(expectedLines, "\n") { if line == "" { continue } diff --git a/controller/sharding/cache.go b/controller/sharding/cache.go index febcd73b5a..38cf3bc053 100644 --- a/controller/sharding/cache.go +++ b/controller/sharding/cache.go @@ -1,10 +1,13 @@ package sharding import ( + "maps" + "strconv" "sync" log "github.com/sirupsen/logrus" + "github.com/argoproj/argo-cd/v3/common" "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" "github.com/argoproj/argo-cd/v3/util/db" ) @@ -60,6 +63,10 @@ func (sharding *ClusterSharding) IsManagedCluster(c *v1alpha1.Cluster) bool { if c == nil { // nil cluster (in-cluster) is always managed by current clusterShard return true } + if skipReconcile, err := strconv.ParseBool(c.Annotations[common.AnnotationKeyAppSkipReconcile]); err == nil && skipReconcile { + log.Debugf("Cluster %s has %s annotation set, skipping", c.Server, common.AnnotationKeyAppSkipReconcile) + return false + } clusterShard := 0 if shard, ok := sharding.Shards[c.Server]; ok { clusterShard = shard @@ -134,9 +141,7 @@ func (sharding *ClusterSharding) GetDistribution() map[string]int { shards := sharding.Shards distribution := make(map[string]int, len(shards)) - for k, v := range shards { - distribution[k] = v - } + maps.Copy(distribution, shards) return distribution } diff --git a/controller/sharding/cache_test.go b/controller/sharding/cache_test.go index b8d5962703..04cd4e9dfc 100644 --- a/controller/sharding/cache_test.go +++ b/controller/sharding/cache_test.go @@ -5,6 +5,7 @@ import ( "github.com/stretchr/testify/assert" + "github.com/argoproj/argo-cd/v3/common" "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" dbmocks "github.com/argoproj/argo-cd/v3/util/db/mocks" ) @@ -322,6 +323,28 @@ func TestClusterSharding_IsManagedCluster(t *testing.T) { })) } +func TestIsManagedCluster_SkipReconcileAnnotation(t *testing.T) { + sharding := setupTestSharding(0, 1) + sharding.Init( + &v1alpha1.ClusterList{Items: []v1alpha1.Cluster{{ID: "1", Server: "https://cluster1"}}}, + &v1alpha1.ApplicationList{}, + ) + + assert.True(t, sharding.IsManagedCluster(&v1alpha1.Cluster{Server: "https://cluster1"})) + + assert.False(t, sharding.IsManagedCluster(&v1alpha1.Cluster{ + Server: "https://cluster1", + Annotations: map[string]string{common.AnnotationKeyAppSkipReconcile: "true"}, + })) + + assert.True(t, sharding.IsManagedCluster(&v1alpha1.Cluster{ + Server: "https://cluster1", + Annotations: map[string]string{common.AnnotationKeyAppSkipReconcile: "false"}, + })) + + assert.True(t, sharding.IsManagedCluster(nil)) +} + func TestClusterSharding_ClusterShardOfResourceShouldNotBeChanged(t *testing.T) { shard := 1 replicas := 2 diff --git a/controller/sharding/sharding.go b/controller/sharding/sharding.go index a09cb3d429..7910065e09 100644 --- a/controller/sharding/sharding.go +++ b/controller/sharding/sharding.go @@ -209,7 +209,7 @@ func createConsistentHashingWithBoundLoads(replicas int, getCluster clusterAcces // Adding a shard with id "-1" as a reserved value for clusters that does not have an assigned shard // this happens for clusters that are removed for the clusters list // consistentHashing.Add("-1") - for i := 0; i < replicas; i++ { + for i := range replicas { shard := strconv.Itoa(i) consistentHashing.Add(shard) appsIndexedByShard[shard] = 0 @@ -445,7 +445,7 @@ func generateDefaultShardMappingCM(namespace, hostname string, replicas, shard i func getDefaultShardMappingData(replicas int) []shardApplicationControllerMapping { shardMappingData := make([]shardApplicationControllerMapping, 0) - for i := 0; i < replicas; i++ { + for i := range replicas { mapping := shardApplicationControllerMapping{ ShardNumber: i, } diff --git a/controller/sharding/sharding_test.go b/controller/sharding/sharding_test.go index 0afd3c865c..072a5b525e 100644 --- a/controller/sharding/sharding_test.go +++ b/controller/sharding/sharding_test.go @@ -224,7 +224,7 @@ func TestGetShardByIndexModuloReplicasCountDistributionFunctionWhenClusterNumber // and for 4096 clusters, execution time was under 9s // The other implementation was giving almost linear time of 400ms up to 10'000 clusters clusterPointers := []*v1alpha1.Cluster{} - for i := 0; i < 2048; i++ { + for i := range 2048 { cluster := createCluster(fmt.Sprintf("cluster-%d", i), strconv.Itoa(i)) clusterPointers = append(clusterPointers, &cluster) } @@ -282,7 +282,7 @@ func TestConsistentHashingWhenClusterIsAddedAndRemoved(t *testing.T) { prefix := "cluster" clusters := []v1alpha1.Cluster{} - for i := 0; i < clusterCount; i++ { + for i := range clusterCount { id := fmt.Sprintf("%06d", i) cluster := fmt.Sprintf("%s-%s", prefix, id) clusters = append(clusters, createCluster(cluster, id)) @@ -298,7 +298,7 @@ func TestConsistentHashingWhenClusterIsAddedAndRemoved(t *testing.T) { assert.Equal(t, 0, distributionFunction(nil)) distributionMap := map[int]int{} assignementMap := map[string]int{} - for i := 0; i < clusterCount; i++ { + for i := range clusterCount { assignedShard := distributionFunction(&clusters[i]) assignementMap[clusters[i].ID] = assignedShard distributionMap[assignedShard]++ @@ -330,7 +330,7 @@ func TestConsistentHashingWhenClusterIsAddedAndRemoved(t *testing.T) { replicasCount = 2 distributionFunction = ConsistentHashingWithBoundedLoadsDistributionFunction(getClusterAccessor(clusterList.Items), appAccessor, replicasCount) removedCluster := clusterList.Items[len(clusterList.Items)-1] - for i := 0; i < clusterCount; i++ { + for i := range clusterCount { c := &clusters[i] assignedShard := distributionFunction(c) prevıouslyAssignedShard := assignementMap[clusters[i].ID] diff --git a/controller/sort_delete.go b/controller/sort_delete.go index 6b829de4fe..6823da5d2f 100644 --- a/controller/sort_delete.go +++ b/controller/sort_delete.go @@ -3,7 +3,7 @@ package controller import ( "sort" - "github.com/argoproj/gitops-engine/pkg/sync/syncwaves" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/syncwaves" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) diff --git a/controller/sort_delete_test.go b/controller/sort_delete_test.go index e3a89c0280..fb4c344fbf 100644 --- a/controller/sort_delete_test.go +++ b/controller/sort_delete_test.go @@ -6,8 +6,8 @@ import ( "github.com/stretchr/testify/assert" - "github.com/argoproj/gitops-engine/pkg/sync/common" - . "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) diff --git a/controller/state.go b/controller/state.go index fd1b8a85ef..e2a393e2e0 100644 --- a/controller/state.go +++ b/controller/state.go @@ -11,17 +11,17 @@ import ( goSync "sync" "time" - synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" + synccommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" corev1 "k8s.io/api/core/v1" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/sync" - hookutil "github.com/argoproj/gitops-engine/pkg/sync/hook" - "github.com/argoproj/gitops-engine/pkg/sync/ignore" - resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource" - "github.com/argoproj/gitops-engine/pkg/sync/syncwaves" - kubeutil "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync" + hookutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/ignore" + resourceutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/resource" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/syncwaves" + kubeutil "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -229,6 +229,11 @@ func (m *appStateManager) GetRepoObjs(ctx context.Context, app *v1alpha1.Applica return nil, nil, false, fmt.Errorf("failed to get ref sources: %w", err) } + var syncedRefSources v1alpha1.RefTargetRevisionMapping + if app.Spec.HasMultipleSources() { + syncedRefSources = argo.GetSyncedRefSources(refSources, sources, app.Status.Sync.Revisions) + } + revisionsMayHaveChanges := false keyManifestGenerateAnnotationVal, keyManifestGenerateAnnotationExists := app.Annotations[v1alpha1.AnnotationKeyManifestGeneratePaths] @@ -263,7 +268,7 @@ func (m *appStateManager) GetRepoObjs(ctx context.Context, app *v1alpha1.Applica // just reading pre-generated manifests is comparable to updating revisions time-wise app.Status.SourceType != v1alpha1.ApplicationSourceTypeDirectory - if updateRevisions && repo.Depth == 0 && !source.IsHelm() && !source.IsOCI() && syncedRevision != "" && syncedRevision != revision && keyManifestGenerateAnnotationExists && keyManifestGenerateAnnotationVal != "" { + if updateRevisions && repo.Depth == 0 && syncedRevision != "" && !source.IsRef() && keyManifestGenerateAnnotationExists && keyManifestGenerateAnnotationVal != "" && (syncedRevision != revision || app.Spec.HasMultipleSources()) { // Validate the manifest-generate-path annotation to avoid generating manifests if it has not changed. updateRevisionResult, err := repoClient.UpdateRevisionForPaths(ctx, &apiclient.UpdateRevisionForPathsRequest{ Repo: repo, @@ -279,12 +284,14 @@ func (m *appStateManager) GetRepoObjs(ctx context.Context, app *v1alpha1.Applica ApiVersions: apiVersions, TrackingMethod: trackingMethod, RefSources: refSources, + SyncedRefSources: syncedRefSources, HasMultipleSources: app.Spec.HasMultipleSources(), InstallationID: installationID, }) if err != nil { return nil, nil, false, fmt.Errorf("failed to compare revisions for source %d of %d: %w", i+1, len(sources), err) } + if updateRevisionResult.Changes { revisionsMayHaveChanges = true } @@ -293,7 +300,7 @@ func (m *appStateManager) GetRepoObjs(ctx context.Context, app *v1alpha1.Applica if updateRevisionResult.Revision != "" { revision = updateRevisionResult.Revision } - } else { + } else if !source.IsRef() { // revisionsMayHaveChanges is set to true if at least one revision is not possible to be updated revisionsMayHaveChanges = true } @@ -889,6 +896,13 @@ func (m *appStateManager) CompareAppState(app *v1alpha1.Application, project *v1 } if targetObj != nil { resState.SyncWave = int64(syncwaves.Wave(targetObj)) + } else if resState.Hook { + for _, hookObj := range reconciliation.Hooks { + if hookObj.GetName() == liveObj.GetName() && hookObj.GetKind() == liveObj.GetKind() && hookObj.GetNamespace() == liveObj.GetNamespace() { + resState.SyncWave = int64(syncwaves.Wave(hookObj)) + break + } + } } var diffResult diff.DiffResult diff --git a/controller/state_test.go b/controller/state_test.go index 261ea479b6..db683cdc1c 100644 --- a/controller/state_test.go +++ b/controller/state_test.go @@ -8,11 +8,11 @@ import ( "time" "dario.cat/mergo" - cachemocks "github.com/argoproj/gitops-engine/pkg/cache/mocks" - "github.com/argoproj/gitops-engine/pkg/health" - synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - . "github.com/argoproj/gitops-engine/pkg/utils/testing" + cachemocks "github.com/argoproj/argo-cd/gitops-engine/pkg/cache/mocks" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + synccommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" "github.com/sirupsen/logrus" logrustest "github.com/sirupsen/logrus/hooks/test" "github.com/stretchr/testify/assert" @@ -416,6 +416,92 @@ func TestCompareAppStateSkipHook(t *testing.T) { assert.Empty(t, app.Status.Conditions) } +// TestCompareAppStateSyncHookSyncWave tests that Sync hooks display correct SyncWave +// This is the specific case from issue #26208 +func TestCompareAppStateSyncHookSyncWave(t *testing.T) { + tests := []struct { + name string + hookType string + syncWave string + expectedSyncWave int64 + }{ + { + name: "Sync hook with wave 2", + hookType: "Sync", + syncWave: "2", + expectedSyncWave: 2, + }, + { + name: "PreSync hook with wave 1", + hookType: "PreSync", + syncWave: "1", + expectedSyncWave: 1, + }, + { + name: "PostSync hook with negative wave", + hookType: "PostSync", + syncWave: "-1", + expectedSyncWave: -1, + }, + { + name: "Sync hook without explicit wave", + hookType: "Sync", + syncWave: "", + expectedSyncWave: 0, // default + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + app := newFakeApp() + + // Create hook pod with annotations + hookPod := NewPod() + hookPod.SetNamespace(test.FakeDestNamespace) + annot := map[string]string{ + synccommon.AnnotationKeyHook: tt.hookType, + } + if tt.syncWave != "" { + annot[synccommon.AnnotationSyncWave] = tt.syncWave + } + hookPod.SetAnnotations(annot) + + // The hook exists in live state (already created by previous sync) + livePod := hookPod.DeepCopy() + + data := fakeData{ + apps: []runtime.Object{app}, + manifestResponse: &apiclient.ManifestResponse{ + Manifests: []string{toJSON(t, hookPod)}, + Namespace: test.FakeDestNamespace, + Server: test.FakeClusterURL, + Revision: "abc123", + }, + managedLiveObjs: map[kube.ResourceKey]*unstructured.Unstructured{ + kube.GetResourceKey(livePod): livePod, + }, + } + + ctrl := newFakeController(t.Context(), &data, nil) + sources := []v1alpha1.ApplicationSource{app.Spec.GetSource()} + revisions := []string{""} + + compRes, err := ctrl.appStateManager.CompareAppState(app, &defaultProj, revisions, sources, false, false, nil, false) + require.NoError(t, err) + require.NotNil(t, compRes) + + // For hooks, they go into reconciliationResult.Hooks, not resources + // But we should also check resources if the hook appears there + for _, res := range compRes.resources { + if res.Hook { + assert.Equal(t, tt.expectedSyncWave, res.SyncWave, + "Hook SyncWave should be %d but got %d", tt.expectedSyncWave, res.SyncWave) + } + } + }) + } +} + func TestCompareAppStateRequireDeletion(t *testing.T) { obj1 := NewPod() obj1.SetName("my-pod-1") @@ -1870,7 +1956,7 @@ func Test_normalizeClusterScopeTracking(t *testing.T) { require.True(t, called, "normalization function should have called the callback function") } -func TestCompareAppState_DoesNotCallUpdateRevisionForPaths_ForOCI(t *testing.T) { +func TestCompareAppState_CallUpdateRevisionForPaths_ForOCI(t *testing.T) { app := newFakeApp() // Enable the manifest-generate-paths annotation and set a synced revision app.SetAnnotations(map[string]string{v1alpha1.AnnotationKeyManifestGeneratePaths: "."}) @@ -1886,14 +1972,70 @@ func TestCompareAppState_DoesNotCallUpdateRevisionForPaths_ForOCI(t *testing.T) Server: test.FakeClusterURL, Revision: "abc123", }, + updateRevisionForPathsResponse: &apiclient.UpdateRevisionForPathsResponse{Changes: false}, } - ctrl := newFakeControllerWithResync(t.Context(), &data, time.Minute, nil, errors.New("this should not be called")) + ctrl := newFakeControllerWithResync(t.Context(), &data, time.Minute, nil, nil) source := app.Spec.GetSource() source.RepoURL = "oci://example.com/argo/argo-cd" sources := make([]v1alpha1.ApplicationSource, 0) sources = append(sources, source) - _, _, _, err := ctrl.appStateManager.GetRepoObjs(t.Context(), app, sources, "abc123", []string{"123456"}, false, false, false, &defaultProj, false) + _, _, revisionsMayHaveChanges, err := ctrl.appStateManager.GetRepoObjs(t.Context(), app, sources, "abc123", []string{"123456"}, false, false, false, &defaultProj, false) require.NoError(t, err) + require.False(t, revisionsMayHaveChanges) +} + +func TestCompareAppState_CallUpdateRevisionForPaths_ForMultiSource(t *testing.T) { + app := newFakeApp() + // Enable the manifest-generate-paths annotation and set a synced revision + app.SetAnnotations(map[string]string{v1alpha1.AnnotationKeyManifestGeneratePaths: "."}) + app.Status.Sync = v1alpha1.SyncStatus{ + Revision: "abc123", + Status: v1alpha1.SyncStatusCodeSynced, + Revisions: []string{"0.0.1", "resolved-abc123", "resolved-main"}, + } + + app.Spec.Sources = v1alpha1.ApplicationSources{ + {RepoURL: "oci://example.com/argo/argo-cd", TargetRevision: "0.0.1", Helm: &v1alpha1.ApplicationSourceHelm{ValueFiles: []string{"$values/my-path"}}}, + {Ref: "values", RepoURL: "https://git.test.com", TargetRevision: "abc123"}, + {TargetRevision: "main", RepoURL: "https://git.test.com", Path: "path/to/chart"}, + } + + data := fakeData{ + manifestResponses: []*apiclient.ManifestResponse{ + { + Manifests: []string{}, + Namespace: test.FakeDestNamespace, + Server: test.FakeClusterURL, + Revision: "0.0.1", + }, + { + Manifests: []string{}, + Namespace: test.FakeDestNamespace, + Server: test.FakeClusterURL, + Revision: "abc123", + }, + { + Manifests: []string{}, + Namespace: test.FakeDestNamespace, + Server: test.FakeClusterURL, + Revision: "main", + }, + }, + updateRevisionForPathsResponses: []*apiclient.UpdateRevisionForPathsResponse{ + {Changes: false, Revision: "0.0.1"}, + {Changes: false, Revision: "resolved-main"}, + }, + } + ctrl := newFakeControllerWithResync(t.Context(), &data, time.Minute, nil, nil) + + revisions := make([]string, 0) + revisions = append(revisions, "0.0.1", "abc123", "main") + + sources := app.Spec.Sources + + _, _, revisionsMayHaveChanges, err := ctrl.appStateManager.GetRepoObjs(t.Context(), app, sources, "0.0.1", revisions, false, false, false, &defaultProj, false) + require.NoError(t, err) + require.False(t, revisionsMayHaveChanges) } diff --git a/controller/sync.go b/controller/sync.go index 4a495180d6..c071535709 100644 --- a/controller/sync.go +++ b/controller/sync.go @@ -13,10 +13,10 @@ import ( cdcommon "github.com/argoproj/argo-cd/v3/common" - gitopsDiff "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/sync" - "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + gitopsDiff "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" jsonpatch "github.com/evanphx/json-patch" log "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/controller/sync_namespace.go b/controller/sync_namespace.go index 2acf31654c..dfb1eb8b03 100644 --- a/controller/sync_namespace.go +++ b/controller/sync_namespace.go @@ -1,7 +1,9 @@ package controller import ( - gitopscommon "github.com/argoproj/gitops-engine/pkg/sync/common" + "maps" + + gitopscommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" @@ -47,9 +49,7 @@ func syncNamespace(syncPolicy *v1alpha1.SyncPolicy) func(m *unstructured.Unstruc // with server-side apply func appendSSAAnnotation(in map[string]string) map[string]string { r := map[string]string{} - for k, v := range in { - r[k] = v - } + maps.Copy(r, in) r[gitopscommon.AnnotationSyncOptions] = gitopscommon.SyncOptionServerSideApply return r } diff --git a/controller/sync_test.go b/controller/sync_test.go index bc9f0308b9..c2c190911f 100644 --- a/controller/sync_test.go +++ b/controller/sync_test.go @@ -4,9 +4,9 @@ import ( "strconv" "testing" - "github.com/argoproj/gitops-engine/pkg/sync" - synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync" + synccommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" diff --git a/controller/syncid/id_test.go b/controller/syncid/id_test.go index 4842d47e89..1c89c1b948 100644 --- a/controller/syncid/id_test.go +++ b/controller/syncid/id_test.go @@ -18,9 +18,9 @@ func TestGenerate(t *testing.T) { globalCount.Store(0) // Run goroutines in parallel to test for race conditions - for g := 0; g < goroutines; g++ { + for range goroutines { go func() { - for i := 0; i < idsPerGoroutine; i++ { + for range idsPerGoroutine { id, err := Generate() if err != nil { errCh <- err @@ -32,7 +32,7 @@ func TestGenerate(t *testing.T) { } ids := make(map[string]any) - for i := 0; i < goroutines*idsPerGoroutine; i++ { + for range goroutines * idsPerGoroutine { select { case err := <-errCh: require.NoError(t, err) diff --git a/docs/assets/versions.js b/docs/assets/versions.js index c1a99d0287..08bd9e5903 100644 --- a/docs/assets/versions.js +++ b/docs/assets/versions.js @@ -140,9 +140,9 @@ window.addEventListener("DOMContentLoaded", function() { const currentVersion = getCurrentVersion(); if (currentVersion && currentVersion !== "stable") { if (currentVersion === "latest") { - document.querySelector("div[data-md-component=announce]").innerHTML = "
You are viewing the docs for an unreleased version of Argo CD, click here to go to the latest stable version.
"; + document.querySelector("div[data-md-component=announce]").innerHTML = "
You are viewing the docs for an unreleased version of Argo CD, view the latest stable version.
"; } else { - document.querySelector("div[data-md-component=announce]").innerHTML = "
You are viewing the docs for a previous version of Argo CD, click here to go to the latest stable version.
"; + document.querySelector("div[data-md-component=announce]").innerHTML = "
You are viewing the docs for a previous version of Argo CD, view the latest stable version.
"; } var bannerHeight = document.getElementById('announce-msg').offsetHeight + margin; document.querySelector("header.md-header").style.top = bannerHeight + "px"; diff --git a/docs/developer-guide/ci.md b/docs/developer-guide/ci.md index d508073ed2..a689eb9018 100644 --- a/docs/developer-guide/ci.md +++ b/docs/developer-guide/ci.md @@ -29,9 +29,9 @@ If the build is failing at the `Build & cache Go code`, you need to make sure `m ### Why does the codegen step fail? -If the codegen step fails with "Check nothing has changed...", chances are high that you did not run `make codegen`, or did not commit the changes it made. You should double-check by running `make codegen` followed by `git status` in the local working copy of your branch. Commit any changes and push them to your GH branch to have the CI check it again. +If the codegen step fails with "Check nothing has changed...", chances are high that you did not run `make codegen-local`, or did not commit the changes it made. You should double-check by running `make codegen-local` followed by `git status` in the local working copy of your branch. Commit any changes and push them to your GH branch to have the CI check it again. -A second common case for this is, when you modified any of the auto generated assets, as these will be overwritten upon `make codegen`. +A second common case for this is, when you modified any of the auto generated assets, as these will be overwritten upon `make codegen-local`. Generally, this step runs `codegen` and compares the outcome against the Git branch it has checked out. If there are differences, the step will fail. diff --git a/docs/developer-guide/code-contributions.md b/docs/developer-guide/code-contributions.md index cee8993ae2..f6da32db69 100644 --- a/docs/developer-guide/code-contributions.md +++ b/docs/developer-guide/code-contributions.md @@ -96,9 +96,9 @@ Design documents are usually submitted as PR and use [this template](https://git ## Regular contributor meeting -Our community regularly meets virtually to discuss issues, ideas and enhancements around Argo CD. We do invite you to join this virtual meetings if you want to bring up certain things (including your enhancement proposals), participate in our triaging or just want to get to know other contributors. +Our community regularly meets virtually to discuss issues, ideas and enhancements around Argo CD. We do invite you to join this virtual meetings if you want to bring up certain things (including your enhancement proposals), participate in our triage, or just want to get to know other contributors. -The current cadence of our meetings is weekly, every Thursday at 8:15AM Pacific Time ([click here to check in your current timezone][1]). We use Zoom to conduct these meetings. +The current cadence of our meetings is weekly, every Thursday at 8:15AM Pacific Time ([convert to your current timezone][1]). We use Zoom to conduct these meetings. * [Agenda document (Google Docs, includes Zoom link)](https://docs.google.com/document/d/1xkoFkVviB70YBzSEa4bDnu-rUZ1sIFtwKKG1Uw8XsY8) diff --git a/docs/developer-guide/debugging-locally.md b/docs/developer-guide/debugging-locally.md index bc147e9443..ab122284a8 100644 --- a/docs/developer-guide/debugging-locally.md +++ b/docs/developer-guide/debugging-locally.md @@ -18,7 +18,7 @@ For the next steps, we will use Argo CD `api-server` as an example of running a ## Configure your IDE ### Locate your component configuration in `Procfile` -The `Procfile` is used by Goreman when running Argo CD locally with the local toolchain. The file is located in the top-level directory in your cloned Argo CD repo folder, you can view it's latest version [here](https://github.com/argoproj/argo-cd/blob/master/Procfile). It contains all the needed component run configuration, and you will need to copy parts of this configuration to your IDE. +The `Procfile` is used by Goreman when running Argo CD locally with the local toolchain. The [latest Procfile](https://github.com/argoproj/argo-cd/blob/master/Procfile) is located in the top-level directory in your cloned Argo CD repo folder. It contains all the needed component run configuration, and you will need to copy parts of this configuration to your IDE. Example for `api-server` configuration in `Procfile`: ``` text diff --git a/docs/developer-guide/dependencies.md b/docs/developer-guide/dependencies.md index 78b1f7ac0c..9a762cc0c2 100644 --- a/docs/developer-guide/dependencies.md +++ b/docs/developer-guide/dependencies.md @@ -28,7 +28,7 @@ After your Notifications Engine PR has been merged, ArgoCD needs to be updated t - If your notifications engine PR included docs changes, run `make codegen` or `make codegen-local`. -- Create an ArgoCD PR with a `refactor:` type in its title for the above file changes. +- Create an ArgoCD PR with a `chore:` type in its title for the above file changes. ## Argo UI Components (`github.com/argoproj/argo-ui`) ### Contributing to Argo CD UI diff --git a/docs/developer-guide/faq.md b/docs/developer-guide/faq.md index 48c49e28e8..be246af00d 100644 --- a/docs/developer-guide/faq.md +++ b/docs/developer-guide/faq.md @@ -15,7 +15,7 @@ As we have limited resources, it can sometimes take a while for someone to respo ### How do I get my PR labeled `ready-for-review` ? -Conventionally an initial review is performed from a Argo member or reviewer. Once the initial review is approved, it can be labeled `ready-for-review` and then added to the [Argo CD Review](https://github.com/orgs/argoproj/projects/28) Github project. Details of the project dashboard can be found [here](https://github.com/orgs/argoproj/projects/28?pane=info). +Conventionally an initial review is performed from a Argo member or reviewer. Once the initial review is approved, it can be labeled `ready-for-review` and then added to the [Argo CD Review](https://github.com/orgs/argoproj/projects/28) Github project. The project dashboard provides a helpful [info panel](https://github.com/orgs/argoproj/projects/28?pane=info) on the review process. High quality reviews are extremely encouraged from the community. A member/reviewer may work with a community reviewer to get a PR labeled `ready-for-review`. It can then be added to the project dashboard and marked `Community Reviewed`. diff --git a/docs/developer-guide/release-process-and-cadence.md b/docs/developer-guide/release-process-and-cadence.md index b6a9ddecf7..4539b4599e 100644 --- a/docs/developer-guide/release-process-and-cadence.md +++ b/docs/developer-guide/release-process-and-cadence.md @@ -21,7 +21,7 @@ These are the upcoming releases dates: | v3.1 | Monday, Jun. 16, 2025 | Monday, Aug. 4, 2025 | [Christian Hernandez](https://github.com/christianh814) | [Alexandre Gaudreault](https://github.com/agaudreault) | [checklist](https://github.com/argoproj/argo-cd/issues/23347) | | v3.2 | Monday, Sep. 15, 2025 | Monday, Nov. 3, 2025 | [Nitish Kumar](https://github.com/nitishfy) | [Michael Crenshaw](https://github.com/crenshaw-dev) | [checklist](https://github.com/argoproj/argo-cd/issues/24539) | | v3.3 | Monday, Dec. 15, 2025 | Monday, Feb. 2, 2026 | [Peter Jiang](https://github.com/pjiang-dev) | [Regina Voloshin](https://github.com/reggie-k) | [checklist](https://github.com/argoproj/argo-cd/issues/25211) | -| v3.4 | Monday, Mar. 16, 2026 | Monday, May. 4, 2026 | [Codey Jenkins](https://github.com/FourFifthsCode) | | +| v3.4 | Monday, Mar. 16, 2026 | Monday, May. 4, 2026 | [Codey Jenkins](https://github.com/FourFifthsCode) | [Regina Voloshin](https://github.com/reggie-k) | [checklist](https://github.com/argoproj/argo-cd/issues/26527) | v3.5 | Monday, Jun. 15, 2026 | Monday, Aug. 3, 2026 | | | Actual release dates might differ from the plan by a few days. diff --git a/docs/developer-guide/running-locally.md b/docs/developer-guide/running-locally.md index fc39d0d127..8ef7cdfe8f 100644 --- a/docs/developer-guide/running-locally.md +++ b/docs/developer-guide/running-locally.md @@ -130,10 +130,11 @@ export ARGOCD_OPTS="--plaintext --insecure" #### Docs Changes -Modifying the docs auto-reloads the changes on the [documentation website](https://argo-cd.readthedocs.io/) that can be locally built using `make serve-docs-local` command. +The doc-site can be run in a container with `make serve-docs` or locally using `make serve-docs-local`. +When the doc-site process is run locally, modifying the docs will auto-reload changes in a preview of the [documentation website](https://argo-cd.readthedocs.io/). Once running, you can view your locally built documentation on port 8000. -Read more about this [here](https://argo-cd.readthedocs.io/en/latest/developer-guide/docs-site/). +The developer guide has detailed information about the [doc-site process](https://argo-cd.readthedocs.io/en/latest/developer-guide/docs-site/). #### UI Changes diff --git a/docs/developer-guide/submit-your-pr.md b/docs/developer-guide/submit-your-pr.md index d9e71c074d..dd55adafa1 100644 --- a/docs/developer-guide/submit-your-pr.md +++ b/docs/developer-guide/submit-your-pr.md @@ -49,10 +49,13 @@ Please use a meaningful and concise title for your PR. This will help us to pick We use [PR title checker](https://github.com/marketplace/actions/pr-title-checker) to categorize your PR into one of the following categories: +* `ci` - Your PR updates or improves Continuous Integration workflows * `fix` - Your PR contains one or more code bug fixes * `feat` - Your PR contains a new feature +* `test` - Your PR adds tests to the code base, or improves existing tests * `docs` - Your PR improves the documentation * `chore` - Your PR improves any internals of Argo CD, such as the build process, unit tests, etc +* `refactor` - Your PR refactors the code base, without adding new features or fixing bugs Please prefix the title of your PR with one of the valid categories. For example, if you chose the title your PR `Add documentation for GitHub SSO integration`, please use `docs: Add documentation for GitHub SSO integration` instead. diff --git a/docs/faq.md b/docs/faq.md index cc99585a6a..fdb2685821 100644 --- a/docs/faq.md +++ b/docs/faq.md @@ -311,7 +311,7 @@ Argo CD default installation is now configured to automatically enable Redis aut If for some reason authenticated Redis does not work for you and you want to use non-authenticated Redis, here are the steps: 1. You need to have your own Redis installation. -2. Configure Argo CD to use your own Redis instance. See this [doc](https://argo-cd.readthedocs.io/en/stable/operator-manual/argocd-cmd-params-cm-yaml/) for the Argo CD configuration. +2. Configure Argo CD to use your own Redis instance, as shown in the [example configuration](operator-manual/argocd-cmd-params-cm-yaml.md). 3. If you already installed Redis shipped with Argo CD, you also need to clean up the existing components: * When HA Redis is used: diff --git a/docs/getting_started.md b/docs/getting_started.md index ea40cae3f2..c6da77455c 100644 --- a/docs/getting_started.md +++ b/docs/getting_started.md @@ -84,7 +84,7 @@ kubectl get svc argocd-server -n argocd -o=jsonpath='{.status.loadBalancer.ingre Follow the [ingress documentation](operator-manual/ingress.md) on how to configure Argo CD with ingress. ### Port Forwarding -Kubectl port-forwarding can also be used to connect to the API server without exposing the service. +`kubectl port-forward` can also be used to connect to the API server without exposing the service. ```bash kubectl port-forward svc/argocd-server -n argocd 8080:443 @@ -93,7 +93,7 @@ kubectl port-forward svc/argocd-server -n argocd 8080:443 The API server can then be accessed using https://localhost:8080 -## 4. Login Using The CLI +## 4. Log in Using The CLI The initial password for the `admin` account is auto-generated and stored as clear text in the field `password` in a secret named `argocd-initial-admin-secret` @@ -111,7 +111,7 @@ argocd admin initial-password -n argocd > safely be deleted at any time. It will be re-created on demand by Argo CD > if a new admin password must be re-generated. -Using the username `admin` and the password from above, login to Argo CD's IP or hostname: +Using the username `admin` and the password from above, log in to Argo CD's IP or hostname: ```bash argocd login @@ -126,7 +126,7 @@ Change the password using the command: argocd account update-password ``` -## 5. Register A Cluster To Deploy Apps To (Optional) +## 5. Register a Cluster to Deploy Apps To (Optional) This step registers a cluster's credentials to Argo CD, and is only necessary when deploying to an external cluster. When deploying internally (to the same cluster that Argo CD is running in), @@ -157,11 +157,11 @@ An example repository containing a guestbook application is available at [https://github.com/argoproj/argocd-example-apps.git](https://github.com/argoproj/argocd-example-apps.git) to demonstrate how Argo CD works. > [!NOTE] -> Note: The following example application may only be compatible with AMD64 architecture. If you are running on a different architecture (such as ARM64 or ARMv7), you may encounter issues with dependencies or container images that are not built for your platform. Consider verifying the compatibility of the application or building architecture-specific images if necessary. +> The following example application may only be compatible with AMD64 architecture. If you are running on a different architecture (such as ARM64 or ARMv7), you may encounter issues with dependencies or container images that are not built for your platform. Consider verifying the compatibility of the application or building architecture-specific images if necessary. ### Creating Apps Via CLI -First we need to set the current namespace to argocd running the following command: +First, set the current namespace to argocd by running the following command: ```bash kubectl config set-context --current --namespace=argocd diff --git a/docs/index.md b/docs/index.md index 534e0dd503..5683d401fa 100644 --- a/docs/index.md +++ b/docs/index.md @@ -87,8 +87,8 @@ For additional details, see [architecture overview](operator-manual/architecture ## Development Status -Argo CD is being actively developed by the community. Our releases can be found [here](https://github.com/argoproj/argo-cd/releases). +Argo CD is being actively developed by the community. [Releases](https://github.com/argoproj/argo-cd/releases) are listed on Github. ## Adoption -Organizations who have officially adopted Argo CD can be found [here](https://github.com/argoproj/argo-cd/blob/master/USERS.md). +A growing list of organizations(https://github.com/argoproj/argo-cd/blob/master/USERS.md) have officially adopted Argo CD. diff --git a/docs/operator-manual/applicationset/Generators-Cluster-Decision-Resource.md b/docs/operator-manual/applicationset/Generators-Cluster-Decision-Resource.md index 106a567b6a..bb2d86f8ce 100644 --- a/docs/operator-manual/applicationset/Generators-Cluster-Decision-Resource.md +++ b/docs/operator-manual/applicationset/Generators-Cluster-Decision-Resource.md @@ -70,7 +70,7 @@ data: matchKey: clusterName ``` -(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/clusterDecisionResource).*) +(*The [full example](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/clusterDecisionResource)*) This example leverages the cluster management capabilities of the [open-cluster-management.io community](https://open-cluster-management.io/). By creating a `ConfigMap` with the GVK for the `open-cluster-management.io` Placement rule, your ApplicationSet can provision to different clusters in a number of novel ways. One example is to have the ApplicationSet maintain only two Argo CD Applications across 3 or more clusters. Then as maintenance or outages occur, the ApplicationSet will always maintain two Applications, moving the application to available clusters under the Placement rule's direction. diff --git a/docs/operator-manual/applicationset/Generators-Cluster.md b/docs/operator-manual/applicationset/Generators-Cluster.md index a29e32e735..1e52088c5f 100644 --- a/docs/operator-manual/applicationset/Generators-Cluster.md +++ b/docs/operator-manual/applicationset/Generators-Cluster.md @@ -57,9 +57,9 @@ spec: server: '{{.server}}' # 'server' field of the secret namespace: guestbook ``` -(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/cluster).*) +(*The [full example](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/cluster).*) -In this example, the cluster secret's `name` and `server` fields are used to populate the `Application` resource `name` and `server` (which are then used to target that same cluster). +In this example, the cluster secret's `name` and `server` fields are used to populate the `Application` resource `name` and `server`, which are then used to target that same cluster. ### Label selector diff --git a/docs/operator-manual/applicationset/Generators-Git-File-Globbing.md b/docs/operator-manual/applicationset/Generators-Git-File-Globbing.md index 04efabeceb..faa39e5596 100644 --- a/docs/operator-manual/applicationset/Generators-Git-File-Globbing.md +++ b/docs/operator-manual/applicationset/Generators-Git-File-Globbing.md @@ -59,7 +59,7 @@ Note that the default may change in the future. ## Usage -The new Git file generator globbing uses the `doublestar` package. You can find it [here](https://github.com/bmatcuk/doublestar). +The new Git file generator globbing uses the [doublestar package](https://github.com/bmatcuk/doublestar). Below is a short excerpt from its documentation. diff --git a/docs/operator-manual/applicationset/Generators-Git.md b/docs/operator-manual/applicationset/Generators-Git.md index 0d51d0b2f6..fd57c5da47 100644 --- a/docs/operator-manual/applicationset/Generators-Git.md +++ b/docs/operator-manual/applicationset/Generators-Git.md @@ -63,7 +63,7 @@ spec: syncOptions: - CreateNamespace=true ``` -(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-directory).*) +(*The [full example](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-directory).*) The generator parameters are: @@ -72,9 +72,13 @@ The generator parameters are: - `{{.path.basename}}`: For any directory path within the Git repository that matches the `path` wildcard, the right-most path name is extracted (e.g. `/directory/directory2` would produce `directory2`). - `{{.path.basenameNormalized}}`: This field is the same as `path.basename` with unsupported characters replaced with `-` (e.g. a `path` of `/directory/directory_2`, and `path.basename` of `directory_2` would produce `directory-2` here). -**Note**: The right-most path name always becomes `{{.path.basename}}`. For example, for `- path: /one/two/three/four`, `{{.path.basename}}` is `four`. +> [!NOTE] +> The right-most path name always becomes `{{.path.basename}}`. For example, for `- path: /one/two/three/four`, `{{.path.basename}}` is `four`. -**Note**: If the `pathParamPrefix` option is specified, all `path`-related parameter names above will be prefixed with the specified value and a dot separator. E.g., if `pathParamPrefix` is `myRepo`, then the generated parameter name would be `.myRepo.path` instead of `.path`. Using this option is necessary in a Matrix generator where both child generators are Git generators (to avoid conflicts when merging the child generators’ items). +> [!NOTE] +> If the `pathParamPrefix` option is specified, all `path`-related parameter names above will be prefixed with the specified value and a dot separator. +> E.g., if `pathParamPrefix` is `myRepo`, then the generated parameter name would be `.myRepo.path` instead of `.path`. Using this option is necessary +> in a Matrix generator where both child generators are Git generators (to avoid conflicts when merging the child generators’ items). Whenever a new Helm chart/Kustomize YAML/Application/plain subdirectory is added to the Git repository, the ApplicationSet controller will detect this change and automatically deploy the resulting manifests within new `Application` resources. @@ -116,7 +120,7 @@ spec: server: https://kubernetes.default.svc namespace: '{{.path.basename}}' ``` -(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-directory/excludes).*) +(*The [full example](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-directory/excludes).*) This example excludes the `exclude-helm-guestbook` directory from the list of directories scanned for this `ApplicationSet` resource. @@ -320,7 +324,7 @@ spec: server: '{{.cluster.address}}' namespace: guestbook ``` -(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-files-discovery).*) +(*The [full example](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-files-discovery).*) Any `config.json` files found under the `cluster-config` directory will be parameterized based on the `path` wildcard pattern specified. Within each file JSON fields are flattened into key/value pairs, with this ApplicationSet example using the `cluster.address` and `cluster.name` parameters in the template. @@ -335,12 +339,18 @@ In addition to the flattened key/value pairs from the configuration file, the fo - `{{.path.filename}}`: The matched filename. e.g., `config.json` in the above example. - `{{.path.filenameNormalized}}`: The matched filename with unsupported characters replaced with `-`. -**Note**: The right-most *directory* name always becomes `{{.path.basename}}`. For example, from `- path: /one/two/three/four/config.json`, `{{.path.basename}}` will be `four`. -The filename can always be accessed using `{{.path.filename}}`. +> [!NOTE] +> The right-most *directory* name always becomes `{{.path.basename}}`. For example, from `- path: /one/two/three/four/config.json`, `{{.path.basename}}` +> will be `four`. The filename can always be accessed using `{{.path.filename}}`. -**Note**: If the `pathParamPrefix` option is specified, all `path`-related parameter names above will be prefixed with the specified value and a dot separator. E.g., if `pathParamPrefix` is `myRepo`, then the generated parameter name would be `myRepo.path` instead of `path`. Using this option is necessary in a Matrix generator where both child generators are Git generators (to avoid conflicts when merging the child generators’ items). +> [!NOTE] +> If the `pathParamPrefix` option is specified, all `path`-related parameter names above will be prefixed with the specified value and a dot separator. +> E.g., if `pathParamPrefix` is `myRepo`, then the generated parameter name would be `myRepo.path` instead of `path`. Using this option is necessary +> in a Matrix generator where both child generators are Git generators (to avoid conflicts when merging the child generators’ items). -**Note**: The default behavior of the Git file generator is very greedy. Please see [Git File Generator Globbing](./Generators-Git-File-Globbing.md) for more information. +> [!NOTE] +> The default behavior of the Git file generator is very greedy. +> Please see [Git File Generator Globbing](./Generators-Git-File-Globbing.md) for more information. ### Exclude files @@ -379,7 +389,7 @@ spec: This example excludes the `config.json` file in the `dev` directory from the list of files scanned for this `ApplicationSet` resource. -(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-files-discovery/excludes).*) +(*The [full example](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/git-generator-files-discovery/excludes).*) ### Pass additional key-value pairs via `values` field @@ -476,7 +486,7 @@ spec: ``` > [!NOTE] -> The ApplicationSet controller webhook does not use the same webhook as the API server as defined [here](../webhook.md). ApplicationSet exposes a webhook server as a service of type ClusterIP. An ApplicationSet specific Ingress resource needs to be created to expose this service to the webhook source. +> The ApplicationSet controller webhook does not use the same [API server webhook](../webhook.md). ApplicationSet exposes a webhook server as a service of type ClusterIP. An ApplicationSet specific Ingress resource needs to be created to expose this service to the webhook source. ### 1. Create the webhook in the Git provider diff --git a/docs/operator-manual/applicationset/Generators-List.md b/docs/operator-manual/applicationset/Generators-List.md index 5a706d2239..30863d6d83 100644 --- a/docs/operator-manual/applicationset/Generators-List.md +++ b/docs/operator-manual/applicationset/Generators-List.md @@ -30,7 +30,7 @@ spec: server: '{{.url}}' namespace: guestbook ``` -(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/list-generator).*) +(*The [full example](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/list-generator).*) In this example, the List generator passes the `url` and `cluster` fields as parameters into the template. If we wanted to add a second environment, we could uncomment the second element and the ApplicationSet controller would automatically target it with the defined application. diff --git a/docs/operator-manual/applicationset/Generators-Matrix.md b/docs/operator-manual/applicationset/Generators-Matrix.md index 077157544c..d79f033538 100644 --- a/docs/operator-manual/applicationset/Generators-Matrix.md +++ b/docs/operator-manual/applicationset/Generators-Matrix.md @@ -106,7 +106,7 @@ Finally, the Matrix generator will combine both sets of outputs, and produce: path: /examples/git-generator-directory/cluster-addons/prometheus-operator path.basename: prometheus-operator ``` -(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/matrix).*) +(*The [full example](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/matrix).*) ## Using Parameters from one child generator in another child generator diff --git a/docs/operator-manual/applicationset/Generators-Plugin.md b/docs/operator-manual/applicationset/Generators-Plugin.md index 59bf87e92f..d797992c34 100644 --- a/docs/operator-manual/applicationset/Generators-Plugin.md +++ b/docs/operator-manual/applicationset/Generators-Plugin.md @@ -118,7 +118,8 @@ If you want to store sensitive data in **another** Kubernetes `Secret`, instead Syntax: `$:` -> NOTE: Secret must have label `app.kubernetes.io/part-of: argocd` +> [!NOTE] +> Secret must have label `app.kubernetes.io/part-of: argocd` ##### Example diff --git a/docs/operator-manual/applicationset/Generators-Pull-Request.md b/docs/operator-manual/applicationset/Generators-Pull-Request.md index 6285e2f879..98f902e4c2 100644 --- a/docs/operator-manual/applicationset/Generators-Pull-Request.md +++ b/docs/operator-manual/applicationset/Generators-Pull-Request.md @@ -282,7 +282,8 @@ You can use branch `filters` like - `branchMatch`: Optional regexp filter which should match the source branch name. - `targetBranchMatch`: Optional regexp filter which should match destination branch name. -> Note: Labels are not supported by Bitbucket. +> [!NOTE] +> Labels are not supported by Bitbucket. If you want to access a private repository, Argo CD will need credentials to access repository in Bitbucket Cloud. You can use Bitbucket App Password (generated per user, with access to whole workspace), or Bitbucket App Token (generated per repository, with access limited to repository scope only). If both App Password and App Token are defined, App Token will be used. @@ -453,7 +454,7 @@ When using a Pull Request generator, the ApplicationSet controller polls every ` The configuration is almost the same as the one described [in the Git generator](Generators-Git.md), but there is one difference: if you want to use the Pull Request Generator as well, additionally configure the following settings. > [!NOTE] -> The ApplicationSet controller webhook does not use the same webhook as the API server as defined [here](../webhook.md). ApplicationSet exposes a webhook server as a service of type ClusterIP. An ApplicationSet specific Ingress resource needs to be created to expose this service to the webhook source. +> The ApplicationSet controller webhook does not use the same [API server webhook](../webhook.md). ApplicationSet exposes a webhook server as a service of type ClusterIP. An ApplicationSet specific Ingress resource needs to be created to expose this service to the webhook source. ### Github webhook configuration diff --git a/docs/operator-manual/applicationset/Template.md b/docs/operator-manual/applicationset/Template.md index bce8c6487f..17914c7e4a 100644 --- a/docs/operator-manual/applicationset/Template.md +++ b/docs/operator-manual/applicationset/Template.md @@ -124,9 +124,8 @@ spec: server: '{{ .server }}' namespace: guestbook ``` -(*The full example can be found [here](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/template-override).*) -In this example, the ApplicationSet controller will generate an `Application` resource using the `path` generated by the List generator, rather than the `path` value defined in `.spec.template`. +In [this example](https://github.com/argoproj/argo-cd/tree/master/applicationset/examples/template-override), the ApplicationSet controller will generate an `Application` resource using the `path` generated by the List generator, rather than the `path` value defined in `.spec.template`. ## Template Patch diff --git a/docs/operator-manual/argocd-cmd-params-cm.yaml b/docs/operator-manual/argocd-cmd-params-cm.yaml index 7a2dc03b0a..de0f0376da 100644 --- a/docs/operator-manual/argocd-cmd-params-cm.yaml +++ b/docs/operator-manual/argocd-cmd-params-cm.yaml @@ -102,6 +102,31 @@ data: # will increase the speed at which Argo CD becomes aware of external cluster state. A higher value will reduce cluster # cache lock contention and better handle high-churn clusters. controller.cluster.cache.events.processing.interval: "100ms" + # QPS (Queries Per Second) limit for K8s API client requests (default "50") + # Can also be set via ARGOCD_K8S_CLIENT_QPS environment variable + controller.k8s.client.qps: "50" + # Burst value for K8s API client requests (default "100", which is 2x QPS) + # Can also be set via ARGOCD_K8S_CLIENT_BURST environment variable + controller.k8s.client.burst: "100" + # Maximum number of idle connections in the K8s REST client HTTP transport (default "500") + # Can also be set via ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS environment variable + controller.k8s.client.max.idle.connections: "500" + # TCP timeout duration when communicating with K8s API servers (default "30s") + # Can also be set via ARGOCD_K8S_TCP_TIMEOUT environment variable + controller.k8s.tcp.timeout: "30s" + # TCP keep-alive probe interval when communicating with K8s API servers (default "30s") + # Can also be set via ARGOCD_K8S_TCP_KEEPALIVE environment variable + controller.k8s.tcp.keepalive: "30s" + # TLS handshake timeout when establishing connections to K8s API servers (default "10s") + # Can also be set via ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT environment variable + controller.k8s.tls.handshake.timeout: "10s" + # Idle TCP connection timeout to K8s API servers (default "5m") + # Can also be set via ARGOCD_K8S_TCP_IDLE_TIMEOUT environment variable + controller.k8s.tcp.idle.timeout: "5m" + # Enable gRPC service config lookups via DNS TXT records (default "false"). By default, gRPC DNS TXT lookups for + # _grpc_config. are disabled to prevent excessive DNS queries that can cause timeouts in dual-stack environments. + # See https://github.com/argoproj/argo-cd/issues/24991 + controller.grpc.enable.txt.service.config: "false" ## Server properties # Listen on given address for incoming connections (default "0.0.0.0") @@ -168,6 +193,31 @@ data: server.enable.proxy.extension: "false" # Enables profile endpoint on the internal metrics port server.profile.enabled: "false" + # QPS (Queries Per Second) limit for K8s API client requests (default "50") + # Can also be set via ARGOCD_K8S_CLIENT_QPS environment variable + server.k8s.client.qps: "50" + # Burst value for K8s API client requests (default "100", which is 2x QPS) + # Can also be set via ARGOCD_K8S_CLIENT_BURST environment variable + server.k8s.client.burst: "100" + # Maximum number of idle connections in the K8s REST client HTTP transport (default "500") + # Can also be set via ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS environment variable + server.k8s.client.max.idle.connections: "500" + # TCP timeout duration when communicating with K8s API servers (default "30s") + # Can also be set via ARGOCD_K8S_TCP_TIMEOUT environment variable + server.k8s.tcp.timeout: "30s" + # TCP keep-alive probe interval when communicating with K8s API servers (default "30s") + # Can also be set via ARGOCD_K8S_TCP_KEEPALIVE environment variable + server.k8s.tcp.keepalive: "30s" + # TLS handshake timeout when establishing connections to K8s API servers (default "10s") + # Can also be set via ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT environment variable + server.k8s.tls.handshake.timeout: "10s" + # Idle TCP connection timeout to K8s API servers (default "5m") + # Can also be set via ARGOCD_K8S_TCP_IDLE_TIMEOUT environment variable + server.k8s.tcp.idle.timeout: "5m" + # Enable gRPC service config lookups via DNS TXT records (default "false"). By default, gRPC DNS TXT lookups for + # _grpc_config. are disabled to prevent excessive DNS queries that can cause timeouts in dual-stack environments. + # See https://github.com/argoproj/argo-cd/issues/24991 + server.grpc.enable.txt.service.config: "false" ## Repo-server properties # Listen on given address for incoming connections (default "0.0.0.0") @@ -225,6 +275,12 @@ data: reposerver.enable.builtin.git.config: "true" # Include hidden directories from Git reposerver.include.hidden.directories: "false" + # Enable gRPC service config lookups via DNS TXT records (default "false"). By default, gRPC DNS TXT lookups for + # _grpc_config. are disabled to prevent excessive DNS queries that can cause timeouts in dual-stack environments. + # See https://github.com/argoproj/argo-cd/issues/24991 + reposerver.grpc.enable.txt.service.config: "false" + # Enables profile endpoint on the internal metrics port + reposerver.profile.enabled: "false" ## Commit-server properties # Listen on given address for incoming connections (default "0.0.0.0") @@ -235,6 +291,10 @@ data: commitserver.log.level: "info" # Listen on given address for metrics (default "0.0.0.0") commitserver.metrics.listen.address: "0.0.0.0" + # Enable gRPC service config lookups via DNS TXT records (default "false"). By default, gRPC DNS TXT lookups for + # _grpc_config. are disabled to prevent excessive DNS queries that can cause timeouts in dual-stack environments. + # See https://github.com/argoproj/argo-cd/issues/24991 + commitserver.grpc.enable.txt.service.config: "false" # Set the logging format. One of: json|text (default "json") dexserver.log.format: "json" @@ -283,7 +343,7 @@ data: # The url used in the scm generator must exactly match one in the list applicationsetcontroller.allowed.scm.providers: "https://git.example.com/,https://gitlab.example.com/" # To disable SCM providers entirely (i.e. disable the SCM and PR generators), set this to "false". Default is "true". - applicationsetcontroller.enable.scm.providers: "false" + applicationsetcontroller.enable.scm.providers: "true" # Number of webhook requests processed concurrently (default 50) applicationsetcontroller.webhook.parallelism.limit: "50" # Override the default requeue time for the controller. (default 3m) @@ -300,6 +360,31 @@ data: applicationsetcontroller.status.max.resources.count: "5000" # Enables profile endpoint on the internal metrics port applicationsetcontroller.profile.enabled: "false" + # QPS (Queries Per Second) limit for K8s API client requests (default "50") + # Can also be set via ARGOCD_K8S_CLIENT_QPS environment variable + applicationsetcontroller.k8s.client.qps: "50" + # Burst value for K8s API client requests (default "100", which is 2x QPS) + # Can also be set via ARGOCD_K8S_CLIENT_BURST environment variable + applicationsetcontroller.k8s.client.burst: "100" + # Maximum number of idle connections in the K8s REST client HTTP transport (default "500") + # Can also be set via ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS environment variable + applicationsetcontroller.k8s.client.max.idle.connections: "500" + # TCP timeout duration when communicating with K8s API servers (default "30s") + # Can also be set via ARGOCD_K8S_TCP_TIMEOUT environment variable + applicationsetcontroller.k8s.tcp.timeout: "30s" + # TCP keep-alive probe interval when communicating with K8s API servers (default "30s") + # Can also be set via ARGOCD_K8S_TCP_KEEPALIVE environment variable + applicationsetcontroller.k8s.tcp.keepalive: "30s" + # TLS handshake timeout when establishing connections to K8s API servers (default "10s") + # Can also be set via ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT environment variable + applicationsetcontroller.k8s.tls.handshake.timeout: "10s" + # Idle TCP connection timeout to K8s API servers (default "5m") + # Can also be set via ARGOCD_K8S_TCP_IDLE_TIMEOUT environment variable + applicationsetcontroller.k8s.tcp.idle.timeout: "5m" + # Enable gRPC service config lookups via DNS TXT records (default "false"). By default, gRPC DNS TXT lookups for + # _grpc_config. are disabled to prevent excessive DNS queries that can cause timeouts in dual-stack environments. + # See https://github.com/argoproj/argo-cd/issues/24991 + applicationsetcontroller.grpc.enable.txt.service.config: "false" ## Argo CD Notifications Controller Properties # Set the logging level. One of: debug|info|warn|error (default "info") diff --git a/docs/operator-manual/cluster-bootstrapping.md b/docs/operator-manual/cluster-bootstrapping.md index 5f422fe91d..d9d9ddee90 100644 --- a/docs/operator-manual/cluster-bootstrapping.md +++ b/docs/operator-manual/cluster-bootstrapping.md @@ -170,7 +170,8 @@ The parent app will appear as in-sync but the child apps will be out of sync: ![New App Of Apps](../assets/new-app-of-apps.png) -> NOTE: You may want to modify this behavior to bootstrap your cluster in waves; see [the health assessment of Applications](./health.md#argocd-app) for information on changing this. +> [!NOTE] +> You may want to modify this behavior to bootstrap your cluster in waves; see [the health assessment of Applications](./health.md#argocd-app) for information on changing this. You can either sync via the UI, firstly filter by the correct label: diff --git a/docs/operator-manual/cluster-management.md b/docs/operator-manual/cluster-management.md index 28fbb13587..96977b06b9 100644 --- a/docs/operator-manual/cluster-management.md +++ b/docs/operator-manual/cluster-management.md @@ -13,6 +13,23 @@ If you're unsure about the context names, run `kubectl config get-contexts` to g This will connect to the cluster and install the necessary resources for ArgoCD to connect to it. Note that you will need privileged access to the cluster. +## Skipping cluster reconciliation + +You can stop the controller from reconciling a cluster without removing it by annotating its secret: + +```bash +kubectl -n argocd annotate secret argocd.argoproj.io/skip-reconcile=true +``` + +The cluster will still appear in `argocd cluster list` but the controller will skip reconciliation +for all apps targeting it. To resume, remove the annotation: + +```bash +kubectl -n argocd annotate secret argocd.argoproj.io/skip-reconcile- +``` + +See [Declarative Setup - Skipping Cluster Reconciliation](./declarative-setup.md#skipping-cluster-reconciliation) for details. + ## Removing a cluster Run `argocd cluster rm context-name`. diff --git a/docs/operator-manual/config-management-plugins.md b/docs/operator-manual/config-management-plugins.md index b03bc5d19b..20e95cf463 100644 --- a/docs/operator-manual/config-management-plugins.md +++ b/docs/operator-manual/config-management-plugins.md @@ -289,7 +289,7 @@ Plugin commands have access to You may leave the `name` field empty in the `plugin` section for the plugin to be automatically matched with the Application based on its discovery rules. If you do mention the name make sure it is either `-` if version is mentioned in the `ConfigManagementPlugin` spec or else just ``. When name is explicitly -specified only that particular plugin will be used iff its discovery pattern/command matches the provided application repo. +specified only that particular plugin will be used if its discovery pattern/command matches the provided application repo. ```yaml apiVersion: argoproj.io/v1alpha1 diff --git a/docs/operator-manual/declarative-setup.md b/docs/operator-manual/declarative-setup.md index dca80db37a..0f5a051367 100644 --- a/docs/operator-manual/declarative-setup.md +++ b/docs/operator-manual/declarative-setup.md @@ -595,6 +595,49 @@ stringData: } ``` +### Skipping Cluster Reconciliation + +You can prevent the application controller from reconciling all apps targeting a cluster by annotating its +secret with `argocd.argoproj.io/skip-reconcile: "true"`. This uses the same annotation as +[Skip Application Reconcile](../user-guide/skip_reconcile.md), but applied at the cluster level. + +The cluster remains visible in API responses (`argocd cluster list`), but the controller treats it as unmanaged. + +```yaml +apiVersion: v1 +kind: Secret +metadata: + name: mycluster-secret + labels: + argocd.argoproj.io/secret-type: cluster + annotations: + argocd.argoproj.io/skip-reconcile: "true" +type: Opaque +stringData: + name: mycluster.example.com + server: https://mycluster.example.com + config: | + { + "bearerToken": "", + "tlsClientConfig": { + "insecure": false, + "caData": "" + } + } +``` + +To skip an existing cluster: + +```bash +kubectl -n argocd annotate secret mycluster-secret argocd.argoproj.io/skip-reconcile=true +``` + +To resume reconciliation: + +```bash +kubectl -n argocd annotate secret mycluster-secret argocd.argoproj.io/skip-reconcile- +``` + ### EKS EKS cluster secret example using argocd-k8s-auth and [IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) and [Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html): @@ -725,7 +768,7 @@ The 3 service accounts need to be modified to include an annotation with the Arg Here's an example service account configurations for `argocd-application-controller`, `argocd-applicationset-controller`, and `argocd-server`. > [!WARNING] -Once the annotations has been set on the service accounts, the application controller and server pods need to be restarted. +> Once the annotations has been set on the service accounts, the application controller and server pods need to be restarted. **for IRSA:** ```yaml diff --git a/docs/operator-manual/feature-maturity.md b/docs/operator-manual/feature-maturity.md index c6b2400e50..aa836d3a63 100644 --- a/docs/operator-manual/feature-maturity.md +++ b/docs/operator-manual/feature-maturity.md @@ -44,9 +44,9 @@ to indicate their stability and maturity. These are the statuses of non-stable f ### ApplicationSet CRD | Feature | Property | Status | -| ----------------------------- | ---------------------------- | ------ | -| [AppSet Progressive Syncs][2] | `spec.strategy.*` | Alpha | -| [AppSet Progressive Syncs][2] | `status.applicationStatus.*` | Alpha | +| ----------------------------- | ---------------------------- |--------| +| [AppSet Progressive Syncs][2] | `spec.strategy.*` | Beta | +| [AppSet Progressive Syncs][2] | `status.applicationStatus.*` | Beta | ### Configuration @@ -58,11 +58,11 @@ to indicate their stability and maturity. These are the statuses of non-stable f | [AppSets in any Namespace][5] | `Deployment/argocd-applicationset-controller` | `ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_SCM_PROVIDERS` | Beta | | [AppSets in any Namespace][5] | `Deployment/argocd-applicationset-controller` | `ARGOCD_APPLICATIONSET_CONTROLLER_NAMESPACES` | Beta | | [AppSets in any Namespace][5] | `ConfigMap/argocd-cmd-params-cm` | `applicationsetcontroller.namespaces` | Beta | -| [AppSet Progressive Syncs][2] | `ConfigMap/argocd-cmd-params-cm` | `applicationsetcontroller.enable.progressive.syncs` | Alpha | -| [AppSet Progressive Syncs][2] | `Deployment/argocd-applicationset-controller` | `ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS` | Alpha | -| [Proxy Extensions][3] | `ConfigMap/argocd-cmd-params-cm` | `server.enable.proxy.extension` | Alpha | -| [Proxy Extensions][3] | `Deployment/argocd-server` | `ARGOCD_SERVER_ENABLE_PROXY_EXTENSION` | Alpha | -| [Proxy Extensions][3] | `ConfigMap/argocd-cm` | `extension.config` | Alpha | +| [AppSet Progressive Syncs][2] | `ConfigMap/argocd-cmd-params-cm` | `applicationsetcontroller.enable.progressive.syncs` | Beta | +| [AppSet Progressive Syncs][2] | `Deployment/argocd-applicationset-controller` | `ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS` | Beta | +| [Proxy Extensions][3] | `ConfigMap/argocd-cmd-params-cm` | `server.enable.proxy.extension` | Beta | +| [Proxy Extensions][3] | `Deployment/argocd-server` | `ARGOCD_SERVER_ENABLE_PROXY_EXTENSION` | Beta | +| [Proxy Extensions][3] | `ConfigMap/argocd-cm` | `extension.config` | Beta | | [Dynamic Cluster Distribution][7] | `Deployment/argocd-application-controller` | `ARGOCD_ENABLE_DYNAMIC_CLUSTER_DISTRIBUTION` | Alpha | | [Dynamic Cluster Distribution][7] | `Deployment/argocd-application-controller` | `ARGOCD_CONTROLLER_HEARTBEAT_TIME` | Alpha | | [Cluster Sharding: round-robin][6] | `ConfigMap/argocd-cmd-params-cm` | `controller.sharding.algorithm: round-robin` | Alpha | diff --git a/docs/operator-manual/health.md b/docs/operator-manual/health.md index 765d010237..d37033bbae 100644 --- a/docs/operator-manual/health.md +++ b/docs/operator-manual/health.md @@ -135,15 +135,17 @@ The custom health check might return one of the following health statuses: By default, health typically returns a `Progressing` status. -NOTE: As a security measure, access to the standard Lua libraries will be disabled by default. Admins can control access by -setting `resource.customizations.useOpenLibs._`. In the following example, standard libraries are enabled for health check of `cert-manager.io/Certificate`. - -```yaml -data: - resource.customizations.useOpenLibs.cert-manager.io_Certificate: true - resource.customizations.health.cert-manager.io_Certificate: | - # Lua standard libraries are enabled for this script -``` +> [!NOTE] +> As a security measure, access to the standard Lua libraries will be disabled by default. +> Admins can control access by setting `resource.customizations.useOpenLibs._`. +> In the following example, standard libraries are enabled for health check of `cert-manager.io/Certificate`. +> +> ```yaml +> data: +> resource.customizations.useOpenLibs.cert-manager.io_Certificate: true +> resource.customizations.health.cert-manager.io_Certificate: | +> # Lua standard libraries are enabled for this script +> ``` ### Way 2. Contribute a Custom Health Check diff --git a/docs/operator-manual/high_availability.md b/docs/operator-manual/high_availability.md index f46628beb5..f8a86a7a39 100644 --- a/docs/operator-manual/high_availability.md +++ b/docs/operator-manual/high_availability.md @@ -1,13 +1,13 @@ # High Availability Argo CD is largely stateless. All data is persisted as Kubernetes objects, which in turn is stored in Kubernetes' etcd. -Redis is only used as a throw-away cache and can be lost. When lost, it will be rebuilt without loss of service. +Redis is only used as a disposable cache and can be safely rebuilt without service disruption. A set of [HA manifests](https://github.com/argoproj/argo-cd/tree/stable/manifests/ha) are provided for users who wish to run Argo CD in a highly available manner. This runs more containers, and runs Redis in HA mode. > [!NOTE] -> The HA installation will require at least three different nodes due to pod anti-affinity roles in the +> The HA installation will require at least three different nodes due to pod anti-affinity rule in the > specs. Additionally, IPv6 only clusters are not supported. ## Scaling Up @@ -19,17 +19,17 @@ run Argo CD in a highly available manner. This runs more containers, and runs Re The `argocd-repo-server` is responsible for cloning Git repository, keeping it up to date and generating manifests using the appropriate tool. -* `argocd-repo-server` fork/exec config management tool to generate manifests. The fork can fail due to lack of memory +* `argocd-repo-server` fork/exec config management tools to generate manifests. The fork can fail due to lack of memory or limit on the number of OS threads. The `--parallelismlimit` flag controls how many manifests generations are running concurrently and helps avoid OOM kills. -* the `argocd-repo-server` ensures that repository is in the clean state during the manifest generation using config +* The `argocd-repo-server` ensures that repository is in the clean state during the manifest generation using config management tools such as Kustomize, Helm or custom plugin. As a result Git repositories with multiple applications might affect repository server performance. Read [Monorepo Scaling Considerations](#monorepo-scaling-considerations) for more information. -* `argocd-repo-server` clones the repository into `/tmp` (or the path specified in the `TMPDIR` env variable). The Pod +* `argocd-repo-server` clones the repository into `/tmp` (or the path specified in the `TMPDIR` env variable). The pod might run out of disk space if it has too many repositories or if the repositories have a lot of files. To avoid this problem mount a persistent volume. @@ -83,7 +83,7 @@ get the actual cluster state. syncing (seconds). The number of queue processors for each queue is controlled by `--status-processors` (20 by default) and `--operation-processors` (10 by default) flags. Increase the number of processors if your Argo CD instance manages too many applications. - For 1000 application we use 50 for `--status-processors` and 25 for `--operation-processors` + For 1000 applications, we use 50 for `--status-processors` and 25 for `--operation-processors` * The manifest generation typically takes the most time during reconciliation. The duration of manifest generation is limited to make sure the controller refresh queue does not overflow. @@ -139,7 +139,7 @@ spec: and also reduces cluster or application reshuffling in case of additions or removals of shards or clusters. The `--sharding-method` parameter can also be overridden by setting the key `controller.sharding.algorithm` in the -`argocd-cmd-params-cm` `configMap` (preferably) or by setting the `ARGOCD_CONTROLLER_SHARDING_ALGORITHM` environment +`argocd-cmd-params-cm` `ConfigMap` (preferably) or by setting the `ARGOCD_CONTROLLER_SHARDING_ALGORITHM` environment variable and by specifying the same possible values. > [!WARNING] @@ -148,7 +148,7 @@ variable and by specifying the same possible values. > The `round-robin` shard distribution algorithm is an experimental feature. Reshuffling is known to occur in certain > scenarios with cluster removal. If the cluster at rank-0 is removed, reshuffling all clusters across shards will occur > and may temporarily have negative performance impacts. -> The `consistent-hashing` shard distribution algorithm is an experimental feature. Extensive benchmark have been +> The `consistent-hashing` shard distribution algorithm is an experimental feature. Extensive benchmarks have been > documented on the [CNOE blog](https://cnoe.io/blog/argo-cd-application-scalability) with encouraging results. > Community > feedback is highly appreciated before moving this feature to a production ready state. @@ -182,7 +182,7 @@ stringData: if you need to troubleshoot performance issues. Note: This metric is expensive to both query and store! * `ARGOCD_CLUSTER_CACHE_LIST_PAGE_BUFFER_SIZE` - environment variable controlling the number of pages the controller - buffers in memory when performing a list operation against the K8s api server while syncing the cluster cache. This + buffers in memory when performing a list operation against the K8s Api server while syncing the cluster cache. This is useful when the cluster contains a large number of resources and cluster sync times exceed the default etcd compaction interval timeout. In this scenario, when attempting to sync the cluster cache, the application controller may throw an error that the `continue parameter is too old to display a consistent list result`. Setting a higher @@ -255,14 +255,14 @@ spec: ### argocd-dex-server, argocd-redis -The `argocd-dex-server` uses an in-memory database, and two or more instances would have inconsistent data. +The `argocd-dex-server` uses an in-memory database, and two or more instances may have inconsistent data. `argocd-redis` is pre-configured with the understanding of only three total redis servers/sentinels. ## Monorepo Scaling Considerations Argo CD repo server maintains one repository clone locally and uses it for application manifest generation. If the manifest generation requires to change a file in the local repository clone then only one concurrent manifest generation -per server instance is allowed. This limitation might significantly slowdown Argo CD if you have a mono repository with +per server instance is allowed. This limitation might significantly slow down Argo CD if you have a monorepo with multiple applications (50+). ### Enable Concurrent Processing @@ -280,8 +280,8 @@ The following are known cases that might cause slowness and their workarounds: `.argocd-allow-concurrency` file in the app directory, or use the sidecar plugin option, which processes each application using a temporary copy of the repository. -* **Multiple Kustomize applications in same repository with [parameter overrides](../user-guide/parameters.md):** sorry, - no workaround for now. +* **Multiple Kustomize applications in same repository with [parameter overrides](../user-guide/parameters.md):** Currently, + there is no workaround for this limitation. ### Manifest Paths Annotation @@ -522,12 +522,12 @@ Not all HTTP responses are eligible for retries. The following conditions will n Argo CD optionally exposes a profiling endpoint that can be used to profile the CPU and memory usage of the Argo CD component. -The profiling endpoint is available on metrics port of each component. See [metrics](./metrics.md) for more information +The profiling endpoint is available on the metrics port of each component. See [metrics](./metrics.md) for more information about the port. For security reasons, the profiling endpoint is disabled by default. The endpoint can be enabled by setting the -`server.profile.enabled`, `applicationsetcontroller.profile.enabled`, or `controller.profile.enabled` key -of [argocd-cmd-params-cm](argocd-cmd-params-cm.yaml) ConfigMap to `true`. -Once the endpoint is enabled, you can use go profile tool to collect the CPU and memory profiles. Example: +`server.profile.enabled`, `applicationsetcontroller.profile.enabled`, `reposerver.profile.enabled` or +`controller.profile.enabled` key of [argocd-cmd-params-cm](argocd-cmd-params-cm.yaml) ConfigMap to `true`. +Once the endpoint is enabled, you can use the go profile tool to collect the CPU and memory profiles. Example: ```bash $ kubectl port-forward svc/argocd-metrics 8082:8082 @@ -555,6 +555,7 @@ metadata: type: Opaque ``` -> [!NOTE] You can use the `argocd repo add --depth` command to add a repository with shallow cloning enabled. +> [!NOTE] +> You can use the `argocd repo add --depth` command to add a repository with shallow cloning enabled. When shallow cloning, the repository is cloned with a depth of 1, which means only the required commit is cloned as opposed to the full history. This approach makes sense when the repository has a large history. diff --git a/docs/operator-manual/ingress.md b/docs/operator-manual/ingress.md index 921c242dd0..4140fb6529 100644 --- a/docs/operator-manual/ingress.md +++ b/docs/operator-manual/ingress.md @@ -1,19 +1,21 @@ # Ingress Configuration -Argo CD API server runs both a gRPC server (used by the CLI), as well as a HTTP/HTTPS server (used by the UI). +Argo CD API server runs both a gRPC server (used by the CLI), as well as an HTTP/HTTPS server (used by the UI). Both protocols are exposed by the argocd-server service object on the following ports: * 443 - gRPC/HTTPS * 80 - HTTP (redirects to HTTPS) -There are several ways how Ingress can be configured. +There are several ways to configure Ingress. ## [Ambassador](https://www.getambassador.io/) The Ambassador Edge Stack can be used as a Kubernetes ingress controller with [automatic TLS termination](https://www.getambassador.io/docs/latest/topics/running/tls/#host) and routing capabilities for both the CLI and the UI. -The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md). Given the `argocd` CLI includes the port number in the request `host` header, 2 Mappings are required. -Note: Disabling TLS in not required if you are using grpc-web +The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command, or simply set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md). Given the `argocd` CLI includes the port number in the request `host` header, two Mappings are required. + +> [!NOTE] +> Disabling TLS is not required if you are using gRPC-Web. ### Option 1: Mapping CRD for Host-based Routing ```yaml @@ -375,7 +377,7 @@ Traefik can be used as an edge router and provide [TLS](https://docs.traefik.io/ It currently has an advantage over NGINX in that it can terminate both TCP and HTTP connections _on the same port_ meaning you do not require multiple hosts or paths. -The API server should be run with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command or set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md). +Run the API server with TLS disabled. Edit the `argocd-server` deployment to add the `--insecure` flag to the argocd-server command or set `server.insecure: "true"` in the `argocd-cmd-params-cm` ConfigMap [as described here](server-commands/additional-configuration-method.md). ### IngressRoute CRD ```yaml @@ -476,7 +478,7 @@ Also note that we can configure the health check to return the gRPC health statu ``` ## [Istio](https://www.istio.io) -You can put Argo CD behind Istio using following configurations. Here we will achieve both serving Argo CD behind istio and using subpath on Istio +You can put Argo CD behind Istio using the following configuration. This example serves Argo CD behind Istio and uses a subpath (for example, `/argocd`). First we need to make sure that we can run Argo CD with subpath (ie /argocd). For this we have used install.yaml from argocd project as is @@ -484,7 +486,7 @@ First we need to make sure that we can run Argo CD with subpath (ie /argocd). Fo curl -kLs -o install.yaml https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml ``` -save following file as kustomization.yml +Save the following file as `kustomization.yaml`: ```yaml apiVersion: kustomize.config.k8s.io/v1beta1 @@ -528,7 +530,7 @@ spec: value: "0" ``` -After that install Argo CD (there should be only 3 yml file defined above in current directory ) +Install Argo CD (there should be only the three YAML files defined above in the current directory): ```bash kubectl apply -k ./ -n argocd --wait=true @@ -598,7 +600,7 @@ spec: number: 80 ``` -And now we can browse http://{{ IP }}/argocd (it will be rewritten to https://{{ IP }}/argocd +You can now browse to `http:///argocd` (it will be redirected to HTTPS). ## Google Cloud load balancers with Kubernetes Ingress @@ -648,7 +650,7 @@ spec: ### Creating a BackendConfig -See that previous service referencing a backend config called `argocd-backend-config`? So lets deploy it using this yaml: +See that previous service referencing a backend config called `argocd-backend-config`? So let's deploy it using this YAML: ```yaml apiVersion: cloud.google.com/v1 @@ -777,7 +779,7 @@ Argo CD endpoints may be protected by one or more reverse proxies layers, in tha $ argocd login : --header 'x-token1:foo' --header 'x-token2:bar' # can be repeated multiple times $ argocd login : --header 'x-token1:foo,x-token2:bar' # headers can also be comma separated ``` -## ArgoCD Server and UI Root Path (v1.5.3) +## Argo CD server and UI root path (v1.5.3) Argo CD server and UI can be configured to be available under a non-root path (e.g. `/argo-cd`). To do this, add the `--rootpath` flag into the `argocd-server` deployment command: @@ -823,7 +825,7 @@ http { } } ``` -Flag ```--grpc-web-root-path ``` is used to provide a non-root path (e.g. /argo-cd) +The `--grpc-web-root-path` flag is used to provide a non-root path (e.g. /argo-cd) ```shell $ argocd login : --grpc-web-root-path /argo-cd @@ -881,12 +883,12 @@ http { ## Gateway API Example This section discusses using Gateway API to expose the Argo CD server in various TLS configurations, -accomodating both HTTP and gRPC traffic, possibly using HTTP/2. +accommodating both HTTP and gRPC traffic, possibly using HTTP/2. ### TLS termination at the Gateway Assume the following cluster-wide `Gateway` resource, -that terminates the TLS conection with a certificate stored in a `Secret` in the same namespace: +that terminates the TLS connection with a certificate stored in a `Secret` in the same namespace: ```yaml apiVersion: gateway.networking.k8s.io/v1 @@ -1000,7 +1002,7 @@ server: servicePortHttpsAppProtocol: kubernetes.io/h2c ``` -##### Routing gRPC and HTTP on through the same domain +##### Routing gRPC and HTTP through the same domain Although officially [discouraged](https://gateway-api.sigs.k8s.io/api-types/grpcroute/#cross-serving), attaching the `HTTPRoute` and `GRPCRoute` to the same domain may be supported by some implementations. @@ -1033,7 +1035,7 @@ spec: TLS can also be configured to terminate at the Argo CD API server. -This require attaching a `TLSRoute` to the gateway, +This requires attaching a `TLSRoute` to the gateway, which is part of the [Experimental](https://gateway-api.sigs.k8s.io/reference/1.4/specx/) Gateway API CRDs. ```yaml diff --git a/docs/operator-manual/installation.md b/docs/operator-manual/installation.md index 57b409b492..6eb4bef059 100644 --- a/docs/operator-manual/installation.md +++ b/docs/operator-manual/installation.md @@ -1,28 +1,28 @@ # Installation -Argo CD has two type of installations: multi-tenant and core. +Argo CD has two types of installations: multi-tenant and core. ## Multi-Tenant The multi-tenant installation is the most common way to install Argo CD. This type of installation is typically used to service multiple application developer teams in the organization and maintained by a platform team. -The end-users can access Argo CD via the API server using the Web UI or `argocd` CLI. The `argocd` CLI has to be configured using `argocd login ` command -(learn more [here](../user-guide/commands/argocd_login.md)). +The end-users can access Argo CD via the API server using the Web UI or `argocd` CLI. The `argocd` CLI has to be [configured](../user-guide/commands/argocd_login.md) using `argocd login ` command. Two types of installation manifests are provided: -### Non High Availability: +### Non-High Availability: -Not recommended for production use. This type of installation is typically used during evaluation period for demonstrations and testing. +Not recommended for production use. This type of installation is typically used during an evaluation period for demonstrations and testing. * [install.yaml](https://github.com/argoproj/argo-cd/blob/stable/manifests/install.yaml) - Standard Argo CD installation with cluster-admin access. Use this manifest set if you plan to use Argo CD to deploy applications in the same cluster that Argo CD runs in (i.e. kubernetes.svc.default). It will still be able to deploy to external clusters with inputted credentials. - > Note: The ClusterRoleBinding in the installation manifest is bound to a ServiceAccount in the argocd namespace. - > Be cautious when modifying the namespace, as changing it may cause permission-related errors unless the ClusterRoleBinding is correctly adjusted to reflect the new namespace. +> [!NOTE] +> The ClusterRoleBinding in the installation manifest is bound to a ServiceAccount in the argocd namespace. +> Be cautious when modifying the namespace, as changing it may cause permission-related errors unless the ClusterRoleBinding is correctly adjusted to reflect the new namespace. * [namespace-install.yaml](https://github.com/argoproj/argo-cd/blob/stable/manifests/namespace-install.yaml) - Installation of Argo CD which requires only namespace level privileges (does not need cluster roles). Use this manifest set if you do not @@ -30,18 +30,19 @@ Not recommended for production use. This type of installation is typically used on inputted cluster credentials. An example of using this set of manifests is if you run several Argo CD instances for different teams, where each instance will be deploying applications to external clusters. It will still be possible to deploy to the same cluster (kubernetes.svc.default) - with inputted credentials (i.e. `argocd cluster add --in-cluster --namespace `). + with provided credentials (i.e. `argocd cluster add --in-cluster --namespace `). With the default roles included, you will only be able to deploy Argo CD resources (Applications, ApplicationSets and AppProjects) in the same cluster, as it's only supporting the GitOps mode with real deployments being done to external clusters. You can modify that by defining new roles and binding them to the `argocd-application-controller` service account. - > Note: Argo CD CRDs are not included into [namespace-install.yaml](https://github.com/argoproj/argo-cd/blob/stable/manifests/namespace-install.yaml). - > and have to be installed separately. The CRD manifests are located in the [manifests/crds](https://github.com/argoproj/argo-cd/blob/stable/manifests/crds) directory. - > Use the following command to install them: - > ``` - > kubectl apply -k https://github.com/argoproj/argo-cd/manifests/crds\?ref\=stable - > ``` +> [!NOTE] +> Argo CD CRDs are not included into [namespace-install.yaml](https://github.com/argoproj/argo-cd/blob/stable/manifests/namespace-install.yaml). +> and have to be installed separately. The CRD manifests are located in the [manifests/crds](https://github.com/argoproj/argo-cd/blob/stable/manifests/crds) directory. +> Use the following command to install them: +> ``` +> kubectl apply --server-side --force-conflicts -k https://github.com/argoproj/argo-cd/manifests/crds\?ref\=stable +> ``` ### High Availability: @@ -59,13 +60,13 @@ The Argo CD Core installation is primarily used to deploy Argo CD in headless mode. This type of installation is most suitable for cluster administrators who independently use Argo CD and don't need multi-tenancy features. This installation includes fewer components -and is easier to setup. The bundle does not include the API server or +and is easier to set up. The bundle does not include the API server or UI, and installs the lightweight (non-HA) version of each component. Installation manifest is available at [core-install.yaml](https://github.com/argoproj/argo-cd/blob/stable/manifests/core-install.yaml). For more details about Argo CD Core please refer to the [official -documentation](./core.md) +documentation](./core.md). ## Kustomize @@ -116,7 +117,7 @@ The Argo CD can be installed using [Helm](https://helm.sh/). The Helm chart is c ## Supported versions -For detailed information regarding Argo CD's version support policy, please refer to the [Release Process and Cadence documentation](https://argo-cd.readthedocs.io/en/stable/developer-guide/release-process-and-cadence/). +For detailed information regarding Argo CD's version support policy, please refer to the [Release Process and Cadence documentation](../developer-guide/release-process-and-cadence.md). ## Tested versions diff --git a/docs/operator-manual/metrics.md b/docs/operator-manual/metrics.md index 927b42a8da..9b3ebcaaf9 100644 --- a/docs/operator-manual/metrics.md +++ b/docs/operator-manual/metrics.md @@ -416,7 +416,7 @@ spec: ## Dashboards -You can find an example Grafana dashboard [here](https://github.com/argoproj/argo-cd/blob/master/examples/dashboard.json) or check demo instance +You can find an [example Grafana dashboard](https://github.com/argoproj/argo-cd/blob/master/examples/dashboard.json) or check the demo instance [dashboard](https://grafana.apps.argoproj.io). ![dashboard](../assets/dashboard.jpg) diff --git a/docs/operator-manual/notifications/services/github.md b/docs/operator-manual/notifications/services/github.md index ea2fcea85f..3c95c233f6 100755 --- a/docs/operator-manual/notifications/services/github.md +++ b/docs/operator-manual/notifications/services/github.md @@ -115,3 +115,6 @@ template.app-deployed: | - The `github.pullRequestComment.commentTag` parameter is used to identify the comment. If a comment with the specified tag is found, it will be updated (upserted). If no comment with the tag is found, a new comment will be created. - Reference is optional. When set, it will be used as the ref to deploy. If not set, the revision will be used as the ref to deploy. +## Commit Statuses + +The [method for generating commit statuses](https://docs.github.com/en/rest/commits/statuses?apiVersion=2022-11-28#create-a-commit-status) allows a maximum of 1000 attempts using the same commit SHA and context. Once this limit is reached, the API returns validation errors (HTTP 422). The notification engine ignores these errors and marks the notification attempts as completed. diff --git a/docs/operator-manual/notifications/services/nats.md b/docs/operator-manual/notifications/services/nats.md new file mode 100755 index 0000000000..a69ab78277 --- /dev/null +++ b/docs/operator-manual/notifications/services/nats.md @@ -0,0 +1,49 @@ +# Nats + +## Parameters + +This notification service is capable of sending simple messages via Nats. + +* Url - Nats server URL, e.g. `nats://nats:4222` +* Headers - optional, additional headers to be sent with the message +* User - optional, Nats user for authentication used in combination with password +* Password - optional, Nats password for authentication used in combination with user +* Nkey - optional, Nats key for authentication + +## Example + +Resource Annotation: +```yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + annotations: + notifications.argoproj.io/subscribe.on-deployment-ready.nats: "mytopic" +``` + +* ConfigMap +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-notifications-cm +data: + service.nats: | + url: "nats://nats:4222" + headers: + my-header: "my-value" + +template.deployment-ready: | + message: | + Deployment {{.obj.metadata.name}} is ready! + + trigger.on-deployment-ready: | + - when: any(obj.status.conditions, {.type == 'Available' && .status == 'True'}) + send: [deployment-ready] + - oncePer: obj.metadata.annotations["generation"] + +``` + + + diff --git a/docs/operator-manual/notifications/services/newrelic.md b/docs/operator-manual/notifications/services/newrelic.md index 57c4f28d3d..e9f1c21b5a 100755 --- a/docs/operator-manual/notifications/services/newrelic.md +++ b/docs/operator-manual/notifications/services/newrelic.md @@ -47,12 +47,14 @@ metadata: ## Templates -* `description` - __optional__, high-level description of this deployment, visible in the [Summary](https://docs.newrelic.com/docs/apm/applications-menu/monitoring/apm-overview-page) page and on the [Deployments](https://docs.newrelic.com/docs/apm/applications-menu/events/deployments-page) page when you select an individual deployment. - * Defaults to `message` -* `changelog` - __optional__, A summary of what changed in this deployment, visible in the [Deployments](https://docs.newrelic.com/docs/apm/applications-menu/events/deployments-page) page when you select (selected deployment) > Change log. - * Defaults to `{{(call .repo.GetCommitMetadata .app.status.sync.revision).Message}}` -* `user` - __optional__, A username to associate with the deployment, visible in the [Summary](https://docs.newrelic.com/docs/apm/applications-menu/events/deployments-page) and on the [Deployments](https://docs.newrelic.com/docs/apm/applications-menu/events/deployments-page). - * Defaults to `{{(call .repo.GetCommitMetadata .app.status.sync.revision).Author}}` +- `revision` - **optional**, The revision being deployed. Can contain a custom template to extract the revision from your specific application status structure. + - Defaults to `{{.app.status.operationState.syncResult.revision}}` +- `description` - **optional**, high-level description of this deployment, visible in the [Summary](https://docs.newrelic.com/docs/apm/applications-menu/monitoring/apm-overview-page) page and on the [Deployments](https://docs.newrelic.com/docs/apm/applications-menu/events/deployments-page) page when you select an individual deployment. + - Defaults to `message` +- `changelog` - **optional**, A summary of what changed in this deployment, visible in the [Deployments](https://docs.newrelic.com/docs/apm/applications-menu/events/deployments-page) page when you select (selected deployment) > Change log. + - Defaults to `{{(call .repo.GetCommitMetadata .app.status.sync.revision).Message}}` +- `user` - **optional**, A username to associate with the deployment, visible in the [Summary](https://docs.newrelic.com/docs/apm/applications-menu/events/deployments-page) and on the [Deployments](https://docs.newrelic.com/docs/apm/applications-menu/events/deployments-page). + - Defaults to `{{(call .repo.GetCommitMetadata .app.status.sync.revision).Author}}` ```yaml context: | diff --git a/docs/operator-manual/rbac.md b/docs/operator-manual/rbac.md index 9cf763eeae..e0c8978ba5 100644 --- a/docs/operator-manual/rbac.md +++ b/docs/operator-manual/rbac.md @@ -162,16 +162,16 @@ p, example-user, applications, update/*, default/prod-app, deny > > Prior to v3, `update` and `delete` actions (without a `/*`) were also evaluated > on sub-resources. -> +> > To preserve this behavior, you can set the config value > `server.rbac.disableApplicationFineGrainedRBACInheritance` to `false` in > the Argo CD ConfigMap `argocd-cm`. -> +> > When disabled, it is not possible to deny fine-grained permissions for a sub-resource > if the action was **explicitly allowed on the application**. > For instance, the following policies will **allow** a user to delete the Pod and any > other resources in the application: -> +> > ```csv > p, example-user, applications, delete, default/prod-app, allow > p, example-user, applications, delete/*/Pod/*, default/prod-app, deny @@ -206,17 +206,17 @@ p, example-user, applications, action/*, default/*, allow #### The `override` action -The `override` action privilege can be used to allow passing arbitrary manifests or different revisions when syncing an `Application`. This can e.g. be used for development or testing purposes. +The `override` action privilege can be used to allow passing arbitrary manifests or different revisions when syncing an `Application`. This can e.g. be used for development or testing purposes. -**Attention:** This allows users to completely change/delete the deployed resources of the application. +**Attention:** This allows users to completely change/delete the deployed resources of the application. -While the `sync` action privilege gives the right to synchronize the objects in the cluster to the desired state as defined in the `Application` Object, the `override` action privilege will allow a user to synchronize arbitrary local manifests to the Application. These manifests will be used _instead of_ the configured source, until the next sync is performed. After performing such a override sync, the application will most probably be OutOfSync with the state defined via the `Application` object. +While the `sync` action privilege gives the right to synchronize the objects in the cluster to the desired state as defined in the `Application` Object, the `override` action privilege will allow a user to synchronize arbitrary local manifests to the Application. These manifests will be used _instead of_ the configured source, until the next sync is performed. After performing such a override sync, the application will most probably be OutOfSync with the state defined via the `Application` object. It is not possible to perform an `override` sync when auto-sync is enabled. -New since v3.2: +New since v3.2: -When `application.sync.requireOverridePrivilegeForRevisionSync: 'true'` is set in the `argcd-cm` configmap, -passing a revision when syncing an `Application` is also considered as an `override`, to prevent synchronizing to arbitrary revisions other than the revision(s) given in the `Application` object. Similar as synching to an arbitrary yaml manifest, syncing to a different revision/branch/commit will also bring the controlled objects to a state differing, and thus OufOfSync from the state as defined in the `Application`. +When `application.sync.requireOverridePrivilegeForRevisionSync: 'true'` is set in the `argcd-cm` configmap, +passing a revision when syncing an `Application` is also considered as an `override`, to prevent synchronizing to arbitrary revisions other than the revision(s) given in the `Application` object. Similar as syncing to an arbitrary yaml manifest, syncing to a different revision/branch/commit will also bring the controlled objects to a state differing, and thus OufOfSync from the state as defined in the `Application`. The default setting of this flag is 'false', to prevent breaking changes in existing installations. It is recommended to set this setting to 'true' and only grant the `override` privilege per AppProject to the users that actually need this behavior. @@ -346,7 +346,7 @@ data: Here: 1. `g, admin, role:admin` explicitly binds the built-in admin user to the admin role. -2. `g, role:admin, role:readonly` shows role inheritance, so anyone granted `role:admin` also automatically has all the permissions of +2. `g, role:admin, role:readonly` shows role inheritance, so anyone granted `role:admin` also automatically has all the permissions of `role:readonly`. This approach can be combined with AppProjects to associate users' emails and groups directly at the project level: @@ -390,15 +390,15 @@ g, my-local-user, role:admin > If you have [enabled SSO](user-management/index.md#sso), any SSO user with a scope that matches a local user will be > added to the same roles as the local user. For example, if local user `sally` is assigned to `role:admin`, and if an > SSO user has a scope which happens to be named `sally`, that SSO user will also be assigned to `role:admin`. -> +> > An example of where this may be a problem is if your SSO provider is an SCM, and org members are automatically > granted scopes named after the orgs. If a user can create or add themselves to an org in the SCM, they can gain the > permissions of the local user with the same name. -> +> > To avoid ambiguity, if you are using local users and SSO, it is recommended to assign policies directly to local > users, and not to assign roles to local users. In other words, instead of using `g, my-local-user, role:admin`, you > should explicitly assign policies to `my-local-user`: -> +> > ```yaml > p, my-local-user, *, *, *, allow > ``` diff --git a/docs/operator-manual/security.md b/docs/operator-manual/security.md index 1280d9bb56..924b4b8498 100644 --- a/docs/operator-manual/security.md +++ b/docs/operator-manual/security.md @@ -136,11 +136,9 @@ kubectl delete clusterrole argocd-manager-role kubectl delete clusterrolebinding argocd-manager-role-binding argocd cluster rm https://your-kubernetes-cluster-addr ``` - -> NOTE: for AWS EKS clusters, the [get-token](https://docs.aws.amazon.com/cli/latest/reference/eks/get-token.html) command - is used to authenticate to the external cluster, which uses IAM roles in lieu of locally stored - tokens, so token rotation is not needed, and revocation is handled through IAM. - + +> [!NOTE] +> For AWS EKS clusters, the [get-token](https://docs.aws.amazon.com/cli/latest/reference/eks/get-token.html) command is used to authenticate to the external cluster, which uses IAM roles in lieu of locally stored tokens, so token rotation is not needed, and revocation is handled through IAM. ## Cluster RBAC diff --git a/docs/operator-manual/server-commands/argocd-applicationset-controller.md b/docs/operator-manual/server-commands/argocd-applicationset-controller.md index 40c97c4f0b..3e6de6b2ee 100644 --- a/docs/operator-manual/server-commands/argocd-applicationset-controller.md +++ b/docs/operator-manual/server-commands/argocd-applicationset-controller.md @@ -37,7 +37,7 @@ argocd-applicationset-controller [flags] --kubeconfig string Path to a kube config. Only required if out-of-cluster --logformat string Set the logging format. One of: json|text (default "json") --loglevel string Set the logging level. One of: debug|info|warn|error (default "info") - --max-resources-status-count int Max number of resources stored in appset status. + --max-resources-status-count int Max number of resources stored in appset status. (default 5000) --metrics-addr string The address the metric endpoint binds to. (default ":8080") --metrics-applicationset-labels strings List of Application labels that will be added to the argocd_applicationset_labels metric -n, --namespace string If present, the namespace scope for this CLI request diff --git a/docs/operator-manual/upgrading/1.8-2.0.md b/docs/operator-manual/upgrading/1.8-2.0.md index 2d1b0b3a20..3ba3d356c1 100644 --- a/docs/operator-manual/upgrading/1.8-2.0.md +++ b/docs/operator-manual/upgrading/1.8-2.0.md @@ -117,8 +117,7 @@ Helm adds). You can fix this by syncing the Application. If you have existing Charts that require to be rendered using Helm v2, you will need to explicitly configure your Application to use Helm v2 for rendering the -chart, as described -[here](../../user-guide/helm.md#helm-version). +chart, as described in the user guide's section on [Helm](../../user-guide/helm.md#helm-version). Please also note that Helm v2 is now being considered deprecated in Argo CD, as it will not receive any updates from the upstream Helm project anymore. We will diff --git a/docs/operator-manual/upgrading/3.2-3.3.md b/docs/operator-manual/upgrading/3.2-3.3.md index 53650fe112..3d98823545 100644 --- a/docs/operator-manual/upgrading/3.2-3.3.md +++ b/docs/operator-manual/upgrading/3.2-3.3.md @@ -28,6 +28,12 @@ When Argo CD is upgraded manually using plain manifests or Kustomize overlays, i Users upgrading Argo CD manually using `helm upgrade` are not impacted by this change, since Helm does not use client-side apply and does not result in creation of the `last-applied` annotation. +#### Users who previously upgraded to 3.3.0 or 3.3.1 +In some cases, after upgrading to one of those versions and applying Server-Side Apply, the following error occured: +`one or more synchronization tasks completed unsuccessfully, reason: Failed to perform client-side apply migration: failed to perform client-side apply migration on manager kubectl-client-side-apply: error when patching "/dev/shm/2047509016": CustomResourceDefinition.apiextensions.k8s.io "applicationsets.argoproj.io" is invalid: metadata.annotations: Too long: may not be more than 262144 bytes`. + +Users that have configured the sync option `ClientSideApplyMigration=false` as a temporary remediation for the above error, should remove it after upgrading to `3.3.2`. Disabling `ClientSideApplyMigration` imposes a risk to encounter conflicts between K8s field managers in the future. + ### Source Hydrator Now Tracks Hydration State Using Git Notes Previously, Argo CD's Source Hydrator pushed a new hydrated commit for every DRY (source) commit, regardless of whether any manifest files (`manifest.yaml`) actually changed. This was necessary for the hydrator to track which DRY commit had last been hydrated: it embedded this information in the `hydrator.metadata` file's `drySha` field in each hydrated commit. diff --git a/docs/operator-manual/upgrading/3.3-3.4.md b/docs/operator-manual/upgrading/3.3-3.4.md index 6d37ff0ee7..2a5f43d187 100644 --- a/docs/operator-manual/upgrading/3.3-3.4.md +++ b/docs/operator-manual/upgrading/3.3-3.4.md @@ -17,3 +17,37 @@ The behavior of Application health status has changed to be more consistent and - Applications with some missing resources will now show the health of their existing resources (e.g., `Healthy`, `Progressing`, `Degraded`) instead of `Missing` - Automation relying on the Application Health status to detect missing resources should now check the Sync status for `OutOfSync` instead, and optionally inspect individual resource health if needed. - Users can now distinguish between an Application that has never been synced (all resources missing = `Missing` health) vs. an Application with some resources deleted (shows health of remaining resources) + +## gRPC Service Config DNS Lookups Disabled by Default + +ArgoCD components now disable gRPC service config lookups via DNS TXT records by default to prevent excessive DNS queries and timeouts in dual-stack (IPv4+IPv6) Kubernetes environments. + +**Background:** + +gRPC clients by default attempt to discover service configuration by querying DNS TXT records for `_grpc_config.`. In dual-stack environments, these lookups can result in excessive DNS queries and timeouts, causing repo-server crashes and sync failures. + +**New behavior:** + +- The environment variable `GRPC_ENABLE_TXT_SERVICE_CONFIG` is now set to `false` by default for all ArgoCD components +- This prevents gRPC from attempting DNS TXT record lookups for service configuration +- Most users do not use DNS TXT records for gRPC service configuration + +**Impact:** + +- **Positive**: Eliminates excessive DNS queries in dual-stack environments, preventing timeouts and improving reliability +- **Minimal**: The vast majority of users do not use DNS TXT records for gRPC service configuration and will see no functional change +- **Re-enablement**: Users who do rely on gRPC service config via DNS TXT records can re-enable this feature by setting the parameter `controller.grpc.enable.txt.service.config: "true"` in the `argocd-cmd-params-cm` ConfigMap + +**Example to re-enable (if needed):** + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: argocd-cmd-params-cm + namespace: argocd +data: + controller.grpc.enable.txt.service.config: "true" +``` + +**Related Issue**: https://github.com/argoproj/argo-cd/issues/24991 diff --git a/docs/operator-manual/user-management/index.md b/docs/operator-manual/user-management/index.md index 982d243e8f..3cd50c15a0 100644 --- a/docs/operator-manual/user-management/index.md +++ b/docs/operator-manual/user-management/index.md @@ -505,7 +505,8 @@ If you want to store sensitive data in **another** Kubernetes `Secret`, instead Syntax: `$:` -> NOTE: Secret must have label `app.kubernetes.io/part-of: argocd` +> [!NOTE] +> Secret must have label `app.kubernetes.io/part-of: argocd` ##### Example diff --git a/docs/operator-manual/webhook.md b/docs/operator-manual/webhook.md index f08de8835f..e8b7de2981 100644 --- a/docs/operator-manual/webhook.md +++ b/docs/operator-manual/webhook.md @@ -108,7 +108,8 @@ If you want to store webhook data in **another** Kubernetes `Secret`, instead of Syntax: `$:` -> NOTE: Secret must have label `app.kubernetes.io/part-of: argocd` +> [!NOTE] +> Secret must have label `app.kubernetes.io/part-of: argocd` For more information refer to the corresponding section in the [User Management Documentation](user-management/index.md#alternative). diff --git a/docs/snyk/index.md b/docs/snyk/index.md index 0c73950a1c..3197c713d5 100644 --- a/docs/snyk/index.md +++ b/docs/snyk/index.md @@ -13,64 +13,52 @@ recent minor releases. | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](master/argocd-test.html) | 0 | 0 | 0 | 0 | -| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 1 | 2 | -| [dex:v2.43.0](master/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 0 | 0 | 5 | -| [haproxy:3.0.8-alpine](master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 0 | 0 | 5 | -| [redis:8.2.3-alpine](master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 2 | -| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 8 | 8 | +| [gitops-engine/go.mod](master/argocd-test.html) | 0 | 0 | 2 | 0 | +| [go.mod](master/argocd-test.html) | 0 | 1 | 6 | 0 | +| [ui/yarn.lock](master/argocd-test.html) | 0 | 4 | 2 | 2 | +| [dex:v2.44.0](master/ghcr.io_dexidp_dex_v2.44.0.html) | 0 | 1 | 0 | 16 | +| [haproxy:3.0.8-alpine](master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 | +| [redis:8.2.3-alpine](master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 | +| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 7 | 10 | | [install.yaml](master/argocd-iac-install.html) | - | - | - | - | | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - | -### v3.3.0-rc3 +### v3.3.1 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v3.3.0-rc3/argocd-test.html) | 0 | 0 | 0 | 0 | -| [ui/yarn.lock](v3.3.0-rc3/argocd-test.html) | 0 | 1 | 1 | 2 | -| [dex:v2.43.0](v3.3.0-rc3/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 0 | 0 | 5 | -| [haproxy:3.0.8-alpine](v3.3.0-rc3/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 0 | 0 | 5 | -| [redis:8.2.3-alpine](v3.3.0-rc3/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 2 | -| [argocd:v3.3.0-rc3](v3.3.0-rc3/quay.io_argoproj_argocd_v3.3.0-rc3.html) | 0 | 1 | 6 | 11 | -| [install.yaml](v3.3.0-rc3/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v3.3.0-rc3/argocd-iac-namespace-install.html) | - | - | - | - | +| [gitops-engine/go.mod](v3.3.1/argocd-test.html) | 0 | 0 | 2 | 0 | +| [go.mod](v3.3.1/argocd-test.html) | 0 | 1 | 6 | 0 | +| [ui/yarn.lock](v3.3.1/argocd-test.html) | 0 | 5 | 5 | 2 | +| [dex:v2.43.0](v3.3.1/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 | +| [haproxy:3.0.8-alpine](v3.3.1/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 | +| [redis:8.2.3-alpine](v3.3.1/public.ecr.aws_docker_library_redis_8.2.3-alpine.html) | 0 | 0 | 0 | 0 | +| [argocd:v3.3.1](v3.3.1/quay.io_argoproj_argocd_v3.3.1.html) | 0 | 0 | 7 | 12 | +| [install.yaml](v3.3.1/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v3.3.1/argocd-iac-namespace-install.html) | - | - | - | - | -### v3.2.5 +### v3.2.7 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v3.2.5/argocd-test.html) | 0 | 0 | 0 | 0 | -| [ui/yarn.lock](v3.2.5/argocd-test.html) | 0 | 1 | 3 | 2 | -| [dex:v2.43.0](v3.2.5/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 0 | 0 | 5 | -| [haproxy:3.0.8-alpine](v3.2.5/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 0 | 0 | 5 | -| [redis:8.2.2-alpine](v3.2.5/public.ecr.aws_docker_library_redis_8.2.2-alpine.html) | 0 | 0 | 0 | 2 | -| [argocd:v3.2.5](v3.2.5/quay.io_argoproj_argocd_v3.2.5.html) | 0 | 0 | 6 | 11 | -| [install.yaml](v3.2.5/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v3.2.5/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v3.2.7/argocd-test.html) | 0 | 1 | 6 | 0 | +| [ui/yarn.lock](v3.2.7/argocd-test.html) | 0 | 5 | 7 | 2 | +| [dex:v2.43.0](v3.2.7/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 | +| [haproxy:3.0.8-alpine](v3.2.7/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 | +| [redis:8.2.2-alpine](v3.2.7/public.ecr.aws_docker_library_redis_8.2.2-alpine.html) | 0 | 1 | 0 | 13 | +| [argocd:v3.2.7](v3.2.7/quay.io_argoproj_argocd_v3.2.7.html) | 0 | 0 | 0 | 1 | +| [install.yaml](v3.2.7/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v3.2.7/argocd-iac-namespace-install.html) | - | - | - | - | -### v3.1.11 +### v3.1.12 | | Critical | High | Medium | Low | |---:|:--------:|:----:|:------:|:---:| -| [go.mod](v3.1.11/argocd-test.html) | 0 | 0 | 0 | 0 | -| [ui/yarn.lock](v3.1.11/argocd-test.html) | 1 | 1 | 3 | 2 | -| [dex:v2.43.0](v3.1.11/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 0 | 0 | 5 | -| [haproxy:3.0.8-alpine](v3.1.11/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 0 | 0 | 5 | -| [redis:7.2.11-alpine](v3.1.11/public.ecr.aws_docker_library_redis_7.2.11-alpine.html) | 0 | 0 | 0 | 2 | -| [argocd:v3.1.11](v3.1.11/quay.io_argoproj_argocd_v3.1.11.html) | 0 | 0 | 7 | 15 | -| [install.yaml](v3.1.11/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v3.1.11/argocd-iac-namespace-install.html) | - | - | - | - | - -### v3.0.22 - -| | Critical | High | Medium | Low | -|---:|:--------:|:----:|:------:|:---:| -| [go.mod](v3.0.22/argocd-test.html) | 0 | 0 | 0 | 0 | -| [ui/yarn.lock](v3.0.22/argocd-test.html) | 1 | 2 | 4 | 4 | -| [dex:v2.41.1](v3.0.22/ghcr.io_dexidp_dex_v2.41.1.html) | 0 | 2 | 0 | 8 | -| [haproxy:3.0.8-alpine](v3.0.22/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 0 | 0 | 5 | -| [redis:7.2.11-alpine](v3.0.22/public.ecr.aws_docker_library_redis_7.2.11-alpine.html) | 0 | 0 | 0 | 2 | -| [argocd:v3.0.22](v3.0.22/quay.io_argoproj_argocd_v3.0.22.html) | 0 | 0 | 7 | 15 | -| [redis:7.2.11-alpine](v3.0.22/redis_7.2.11-alpine.html) | 0 | 0 | 0 | 2 | -| [install.yaml](v3.0.22/argocd-iac-install.html) | - | - | - | - | -| [namespace-install.yaml](v3.0.22/argocd-iac-namespace-install.html) | - | - | - | - | +| [go.mod](v3.1.12/argocd-test.html) | 0 | 1 | 6 | 0 | +| [ui/yarn.lock](v3.1.12/argocd-test.html) | 1 | 5 | 7 | 2 | +| [dex:v2.43.0](v3.1.12/ghcr.io_dexidp_dex_v2.43.0.html) | 0 | 1 | 0 | 14 | +| [haproxy:3.0.8-alpine](v3.1.12/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html) | 0 | 1 | 0 | 14 | +| [redis:7.2.11-alpine](v3.1.12/public.ecr.aws_docker_library_redis_7.2.11-alpine.html) | 0 | 1 | 0 | 11 | +| [argocd:v3.1.12](v3.1.12/quay.io_argoproj_argocd_v3.1.12.html) | 0 | 0 | 11 | 24 | +| [install.yaml](v3.1.12/argocd-iac-install.html) | - | - | - | - | +| [namespace-install.yaml](v3.1.12/argocd-iac-namespace-install.html) | - | - | - | - | diff --git a/docs/snyk/master/argocd-iac-install.html b/docs/snyk/master/argocd-iac-install.html index 7fb915e559..9eb6c1bd63 100644 --- a/docs/snyk/master/argocd-iac-install.html +++ b/docs/snyk/master/argocd-iac-install.html @@ -456,7 +456,7 @@

Snyk test report

-

January 18th 2026, 12:27:35 am (UTC+00:00)

+

February 22nd 2026, 12:30:44 am (UTC+00:00)

Scanned the following path: @@ -507,7 +507,7 @@
  • - Line number: 30946 + Line number: 30947
    • @@ -553,7 +553,7 @@
  • - Line number: 30631 + Line number: 30632
    • @@ -599,7 +599,7 @@
  • - Line number: 30719 + Line number: 30720
    • @@ -645,7 +645,7 @@
  • - Line number: 30754 + Line number: 30755
    • @@ -691,7 +691,7 @@
  • - Line number: 30784 + Line number: 30785
    • @@ -737,7 +737,7 @@
  • - Line number: 30802 + Line number: 30803
    • @@ -783,7 +783,7 @@
  • - Line number: 30820 + Line number: 30821
    • @@ -829,7 +829,7 @@
  • - Line number: 30842 + Line number: 30843
    • @@ -881,7 +881,7 @@
  • - Line number: 32049 + Line number: 32098
    • @@ -933,7 +933,7 @@
  • - Line number: 32392 + Line number: 32453
    • @@ -991,7 +991,7 @@
  • - Line number: 31529 + Line number: 31530
    • @@ -1049,7 +1049,7 @@
  • - Line number: 31845 + Line number: 31894
    • @@ -1107,7 +1107,7 @@
  • - Line number: 31793 + Line number: 31842
    • @@ -1165,7 +1165,7 @@
  • - Line number: 31907 + Line number: 31956
    • @@ -1223,7 +1223,7 @@
  • - Line number: 32020 + Line number: 32069
    • @@ -1281,7 +1281,7 @@
  • - Line number: 32044 + Line number: 32093
    • @@ -1339,7 +1339,7 @@
  • - Line number: 32392 + Line number: 32453
    • @@ -1397,7 +1397,7 @@
  • - Line number: 32103 + Line number: 32152
    • @@ -1455,7 +1455,7 @@
  • - Line number: 32480 + Line number: 32548
    • @@ -1513,7 +1513,7 @@
  • - Line number: 32890 + Line number: 33006
    • @@ -1565,7 +1565,7 @@
  • - Line number: 31825 + Line number: 31874
    • @@ -1617,7 +1617,7 @@
  • - Line number: 31529 + Line number: 31530
    • @@ -1669,7 +1669,7 @@
  • - Line number: 31793 + Line number: 31842
    • @@ -1721,7 +1721,7 @@
  • - Line number: 32020 + Line number: 32069
    • @@ -1779,7 +1779,7 @@
  • - Line number: 31529 + Line number: 31530
    • @@ -1837,7 +1837,7 @@
  • - Line number: 31793 + Line number: 31842
    • @@ -1895,7 +1895,7 @@
  • - Line number: 31845 + Line number: 31894
    • @@ -1953,7 +1953,7 @@
  • - Line number: 31907 + Line number: 31956
    • @@ -2011,7 +2011,7 @@
  • - Line number: 32020 + Line number: 32069
    • @@ -2069,7 +2069,7 @@
  • - Line number: 32044 + Line number: 32093
    • @@ -2127,7 +2127,7 @@
  • - Line number: 32392 + Line number: 32453
    • @@ -2185,7 +2185,7 @@
  • - Line number: 32103 + Line number: 32152
    • @@ -2243,7 +2243,7 @@
  • - Line number: 32480 + Line number: 32548
    • @@ -2301,7 +2301,7 @@
  • - Line number: 32890 + Line number: 33006
    • @@ -2357,7 +2357,7 @@
  • - Line number: 31706 + Line number: 31755
    • @@ -2413,7 +2413,7 @@
  • - Line number: 31853 + Line number: 31902
    • @@ -2469,7 +2469,7 @@
  • - Line number: 31828 + Line number: 31877
    • @@ -2525,7 +2525,7 @@
  • - Line number: 31952 + Line number: 32001
    • @@ -2581,7 +2581,7 @@
  • - Line number: 32037 + Line number: 32086
    • @@ -2637,7 +2637,7 @@
  • - Line number: 32051 + Line number: 32100
    • @@ -2693,7 +2693,7 @@
  • - Line number: 32400 + Line number: 32461
    • @@ -2749,7 +2749,7 @@
  • - Line number: 32365 + Line number: 32426
    • @@ -2805,7 +2805,7 @@
  • - Line number: 32789 + Line number: 32905
    • @@ -2861,7 +2861,7 @@
  • - Line number: 33165 + Line number: 33329
    • diff --git a/docs/snyk/master/argocd-iac-namespace-install.html b/docs/snyk/master/argocd-iac-namespace-install.html index c736c1752b..8e2cc4cf21 100644 --- a/docs/snyk/master/argocd-iac-namespace-install.html +++ b/docs/snyk/master/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    January 18th 2026, 12:27:45 am (UTC+00:00)

    +

    February 22nd 2026, 12:30:56 am (UTC+00:00)

    Scanned the following path: @@ -835,7 +835,7 @@
  • - Line number: 1297 + Line number: 1345
    • @@ -887,7 +887,7 @@
  • - Line number: 1640 + Line number: 1700
    • @@ -1003,7 +1003,7 @@
  • - Line number: 1093 + Line number: 1141
    • @@ -1061,7 +1061,7 @@
  • - Line number: 1041 + Line number: 1089
    • @@ -1119,7 +1119,7 @@
  • - Line number: 1155 + Line number: 1203
    • @@ -1177,7 +1177,7 @@
  • - Line number: 1268 + Line number: 1316
    • @@ -1235,7 +1235,7 @@
  • - Line number: 1292 + Line number: 1340
    • @@ -1293,7 +1293,7 @@
  • - Line number: 1640 + Line number: 1700
    • @@ -1351,7 +1351,7 @@
  • - Line number: 1351 + Line number: 1399
    • @@ -1409,7 +1409,7 @@
  • - Line number: 1728 + Line number: 1795
    • @@ -1467,7 +1467,7 @@
  • - Line number: 2138 + Line number: 2253
    • @@ -1519,7 +1519,7 @@
  • - Line number: 1073 + Line number: 1121
    • @@ -1623,7 +1623,7 @@
  • - Line number: 1041 + Line number: 1089
    • @@ -1675,7 +1675,7 @@
  • - Line number: 1268 + Line number: 1316
    • @@ -1791,7 +1791,7 @@
  • - Line number: 1041 + Line number: 1089
    • @@ -1849,7 +1849,7 @@
  • - Line number: 1093 + Line number: 1141
    • @@ -1907,7 +1907,7 @@
  • - Line number: 1155 + Line number: 1203
    • @@ -1965,7 +1965,7 @@
  • - Line number: 1268 + Line number: 1316
    • @@ -2023,7 +2023,7 @@
  • - Line number: 1292 + Line number: 1340
    • @@ -2081,7 +2081,7 @@
  • - Line number: 1640 + Line number: 1700
    • @@ -2139,7 +2139,7 @@
  • - Line number: 1351 + Line number: 1399
    • @@ -2197,7 +2197,7 @@
  • - Line number: 1728 + Line number: 1795
    • @@ -2255,7 +2255,7 @@
  • - Line number: 2138 + Line number: 2253
    • @@ -2311,7 +2311,7 @@
  • - Line number: 954 + Line number: 1002
    • @@ -2367,7 +2367,7 @@
  • - Line number: 1101 + Line number: 1149
    • @@ -2423,7 +2423,7 @@
  • - Line number: 1076 + Line number: 1124
    • @@ -2479,7 +2479,7 @@
  • - Line number: 1200 + Line number: 1248
    • @@ -2535,7 +2535,7 @@
  • - Line number: 1285 + Line number: 1333
    • @@ -2591,7 +2591,7 @@
  • - Line number: 1299 + Line number: 1347
    • @@ -2647,7 +2647,7 @@
  • - Line number: 1648 + Line number: 1708
    • @@ -2703,7 +2703,7 @@
  • - Line number: 1613 + Line number: 1673
    • @@ -2759,7 +2759,7 @@
  • - Line number: 2037 + Line number: 2152
    • @@ -2815,7 +2815,7 @@
  • - Line number: 2413 + Line number: 2576
    • diff --git a/docs/snyk/master/argocd-test.html b/docs/snyk/master/argocd-test.html index c4271d8581..75b497c9f9 100644 --- a/docs/snyk/master/argocd-test.html +++ b/docs/snyk/master/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -492,21 +492,22 @@

    Snyk test report

    -

    January 18th 2026, 12:25:09 am (UTC+00:00)

    +

    February 22nd 2026, 12:28:07 am (UTC+00:00)

    Scanned the following paths:
      -
    • /argo-cd/argoproj/gitops-engine/gitops-engine/go.mod (gomodules)
      • +
    • /argo-cd/argoproj/argo-cd/v3/go.mod (gomodules)
      • +
    • /argo-cd/argoproj/argo-cd/gitops-engine/gitops-engine/go.mod (gomodules)
    • /argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)
    • /argo-cd/ui/yarn.lock (yarn)
    -
    3 known vulnerabilities
    -
    6 vulnerable dependency paths
    -
    1016 dependencies
    +
    17 known vulnerabilities
    +
    55 vulnerable dependency paths
    +
    2902 dependencies
    @@ -514,6 +515,1641 @@
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + minimatch +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, argo-ui@1.0.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + minimatch@5.1.6 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + @redocly/openapi-core@1.30.0 + + minimatch@5.1.6 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + minimatch@3.1.2 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    minimatch is a minimal matching utility.

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the AST class, caused by catastrophic backtracking when an input string contains many * characters in a row, followed by an unmatched character.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    Upgrade minimatch to version 10.2.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and go.opentelemetry.io/otel/sdk/resource@1.39.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/sdk/resource@1.39.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/sdk/trace@1.39.0 + + go.opentelemetry.io/otel/sdk/resource@1.39.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@1.39.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig@1.39.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace@1.39.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform@1.39.0 + + go.opentelemetry.io/otel/sdk/resource@1.39.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@1.39.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig@1.39.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace@1.39.0 + + go.opentelemetry.io/otel/sdk/trace@1.39.0 + + go.opentelemetry.io/otel/sdk/resource@1.39.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Uncaught Exception

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to Uncaught Exception in the numeric entity processing when parsing XML containing out-of-range entity code points. An attacker can cause the application to crash by submitting specially crafted XML input that triggers an uncaught exception.

    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.4 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    XML Entity Expansion

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to XML Entity Expansion in replaceEntitiesValue() when handling excessive DOCTYPE input. An attacker can cause excessive resource consumption and make the application unresponsive by submitting malicious XML input with large text entities referenced multiple times. This is a bypass for Billion Laughs protection in DocTypeReader.js, which prevents excessive referencing within and entity, but doesn't prevent repeated expansion of large entities.

    +

    Workaround

    +

    This vulnerability can be mitigated by disabling DOCTYPE parsing using the processEntities: false option.

    +

    PoC

    + 
    const { XMLParser } = require('fast-xml-parser');
+        
+        const entity = 'A'.repeat(1000);
+        const refs = '&big;'.repeat(100);
+        const xml = `<!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root>`;
+        
+        console.time('parse');
+        new XMLParser().parse(xml);
+        console.timeEnd('parse');
+
    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.6 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Incorrect Regular Expression

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to Incorrect Regular Expression in the entity parsing RegEx in DOCTYPE declarations. An attacker can inject arbitrary values that override built-in XML entities by crafting entity names containing ., which is interpreted as a regex wildcard, allowing malicious content to be substituted in place of standard entities when the XML is parsed and subsequently rendered or used in sensitive contexts.

    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Algorithmic Complexity

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/gitops-engine gitops-engine/go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/gitops-engine@0.0.0, k8s.io/kubectl/pkg/cmd/auth@0.34.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/auth@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/create@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/apply@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/replace@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/util@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/delete@0.34.0 + + k8s.io/kubectl/pkg/util/completion@0.34.0 + + k8s.io/kubectl/pkg/cmd/util@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Infinite loop

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/gitops-engine gitops-engine/go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/gitops-engine@0.0.0, k8s.io/kubectl/pkg/cmd/auth@0.34.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/auth@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/create@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/apply@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/replace@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/util@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/delete@0.34.0 + + k8s.io/kubectl/pkg/util/completion@0.34.0 + + k8s.io/kubectl/pkg/cmd/util@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff/v3 +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/r3labs/diff/v3@3.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/r3labs/diff/v3@3.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-version +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, code.gitea.io/sdk/gitea@0.23.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + code.gitea.io/sdk/gitea@0.23.2 + + github.com/hashicorp/go-version@1.7.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.8 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@1.39.0 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, github.com/hashicorp/go-retryablehttp@0.7.8 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@1.39.0 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@1.39.0 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#1dbe3de712f8 + + github.com/argoproj/notifications-engine/pkg/services@#1dbe3de712f8 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/gosimple/slug@1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/gosimple/slug@1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Validation of Integrity Check Value

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-git/go-git/v5/storage/filesystem +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, github.com/go-git/go-git/v5@5.14.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5/plumbing/transport/client@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/file@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/server@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/client@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/file@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/server@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.

    +

    Workaround

    +

    This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.

    +

    Remediation

    +

    Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +

    Regular Expression Denial of Service (ReDoS)

    @@ -663,6 +2299,144 @@

    More about this vulnerability

    +
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + diff +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, unidiff@1.0.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + unidiff@1.0.2 + + diff@2.2.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    diff is a javascript text differencing implementation.

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the parsePatch() and applyPatch() functions if the user input passed without sanitisation. An attacker can cause the process to enter an infinite loop and exhaust system memory by providing a patch with filename headers containing \r, \u2028, or \u2029 characters or having control over patch's patch header for application generated patches.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    Upgrade diff to version 3.5.1, 4.0.4, 5.2.2, 8.0.3 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    Insecure Randomness

    diff --git a/docs/snyk/master/ghcr.io_dexidp_dex_v2.43.0.html b/docs/snyk/master/ghcr.io_dexidp_dex_v2.43.0.html deleted file mode 100644 index a9b5d1dc6a..0000000000 --- a/docs/snyk/master/ghcr.io_dexidp_dex_v2.43.0.html +++ /dev/null @@ -1,1993 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:25:20 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex (apk)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/dex (gomodules)
      • -
    -
    - -
    -
    15 known vulnerabilities
    -
    41 vulnerable dependency paths
    -
    1131 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/oauth2/jws -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.24.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/oauth2/jws@v0.24.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.

    -

    Remediation

    -

    Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Server-side Request Forgery (SSRF)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http/httpproxy -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.32.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/net/http/httpproxy@v0.32.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function

    -

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.

    -

    Remediation

    -

    Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Handling of Unexpected Data Type

    -
    - -
    -
    - high severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh/agent -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh/agent@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.

    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh/agent to version 0.43.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Asymmetric Resource Consumption (Amplification)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/golang-jwt/jwt/v5 -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/golang-jwt/jwt/v5@v5.2.1 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the parse.ParseUnverified function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the Authorization header.

    -

    Remediation

    -

    Upgrade github.com/golang-jwt/jwt/v5 to version 5.2.2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Out-of-bounds Read

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh/agent -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh/agent@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Out-of-bounds Read via the SSH Agent servers. An attacker can cause a panic and disrupt service availability by sending a specially crafted, malformed message that triggers an out-of-bounds read.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh/agent to version 0.45.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the SSH servers. An attacker can exhaust system memory resources by sending GSSAPI authentication requests with an excessive number of mechanisms specified.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.45.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Observable Discrepancy

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/vault/api/auth/userpass -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api/auth/userpass@v0.8.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/hashicorp/vault/api/auth/userpass@v0.8.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Observable Discrepancy via userpass auth method. An attacker can enumerate valid usernames on this auth method through brute force or a list of known usernames.

    -

    ##Workaround

    -

    This issue can be partially mitigated by using rate-limit quotas in Vault or enabling network level controls for rate limiting that restrict access to Vault. Customers may also consider enforcing login MFA for the userpass auth mounts.

    -

    Remediation

    -

    There is no fixed version for github.com/hashicorp/vault/api/auth/userpass.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/go-jose/go-jose/v4 -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/go-jose/go-jose/v4@v4.0.2 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of strings.Split to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of . characters.

    -

    Workaround

    -

    This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of . characters.

    -

    Remediation

    -

    Upgrade github.com/go-jose/go-jose/v4 to version 4.0.5 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9230

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application trying to decrypt CMS messages encrypted using - password based encryption can trigger an out-of-bounds read and write.

    -

    Impact summary: This out-of-bounds read may trigger a crash which leads to - Denial of Service for an application. The out-of-bounds write can cause - a memory corruption which can have various consequences including - a Denial of Service or Execution of attacker-supplied code.

    -

    Although the consequences of a successful exploit of this vulnerability - could be severe, the probability that the attacker would be able to - perform it is low. Besides, password based (PWRI) encryption support in CMS - messages is very rarely used. For that reason the issue was assessed as - Moderate severity according to our Security Policy.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the CMS implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9231

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: A timing side-channel which could potentially allow remote - recovery of the private key exists in the SM2 algorithm implementation on 64 bit - ARM platforms.

    -

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit - ARM platforms could allow recovering the private key by an attacker..

    -

    While remote key recovery over a network was not attempted by the reporter, - timing measurements revealed a timing signal which may allow such an attack.

    -

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so - this CVE is not relevant in most TLS contexts. However, given that it is - possible to add support for such certificates via a custom provider, coupled - with the fact that in such a custom provider context the private key may be - recoverable via remote timing measurements, we consider this to be a Moderate - severity issue.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as SM2 is not an approved algorithm.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9232

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application using the OpenSSL HTTP client API functions may - trigger an out-of-bounds read if the 'no_proxy' environment variable is set and - the host portion of the authority component of the HTTP URL is an IPv6 address.

    -

    Impact summary: An out-of-bounds read can trigger a crash which leads to - Denial of Service for an application.

    -

    The OpenSSL HTTP client API functions can be used directly by applications - but they are also used by the OCSP client functions and CMP (Certificate - Management Protocol) client implementation in OpenSSL. However the URLs used - by these implementations are unlikely to be controlled by an attacker.

    -

    In this vulnerable code the out of bounds read can only trigger a crash. - Furthermore the vulnerability requires an attacker-controlled URL to be - passed from an application to the OpenSSL function and the user has to have - a 'no_proxy' environment variable set. For the aforementioned reasons the - issue was assessed as Low severity.

    -

    The vulnerable code was introduced in the following patch releases: - 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the HTTP client implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Synchronous Access of Remote Resource without Timeout

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/vault/api -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/hashicorp/vault/api@v1.15.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the rekey and recovery key operations. An attacker can disrupt service availability by triggering uncontrolled cancellation actions during these processes, which can lead to denial of service.

    -

    Remediation

    -

    Upgrade github.com/hashicorp/vault/api to version 1.20.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/master/ghcr.io_dexidp_dex_v2.44.0.html b/docs/snyk/master/ghcr.io_dexidp_dex_v2.44.0.html new file mode 100644 index 0000000000..b376dc6928 --- /dev/null +++ b/docs/snyk/master/ghcr.io_dexidp_dex_v2.44.0.html @@ -0,0 +1,5275 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:28:18 am (UTC+00:00)

    +
    +
    + Scanned the following paths: +
      +
    • ghcr.io/dexidp/dex:v2.44.0/dexidp/dex (apk)
      • +
    • ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
      • +
    • ghcr.io/dexidp/dex:v2.44.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
      • +
    • ghcr.io/dexidp/dex:v2.44.0/dexidp/dex//usr/local/bin/dex (gomodules)
      • +
    +
    + +
    +
    44 known vulnerabilities
    +
    166 vulnerable dependency paths
    +
    1147 dependencies
    +
    +
    +
    +
    + +
    +
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Handling of Unexpected Data Type

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh/agent +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh/agent@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh/agent to version 0.43.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and go.opentelemetry.io/otel/sdk/resource@v1.36.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + go.opentelemetry.io/otel/sdk/resource@v1.36.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Algorithmic Complexity

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.43.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.43.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Infinite loop

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.43.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.43.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Out-of-bounds Read

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh/agent +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh/agent@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Out-of-bounds Read via the SSH Agent servers. An attacker can cause a panic and disrupt service availability by sending a specially crafted, malformed message that triggers an out-of-bounds read.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh/agent to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the SSH servers. An attacker can exhaust system memory resources by sending GSSAPI authentication requests with an excessive number of mechanisms specified.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/vault/api/auth/aws +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api/auth/aws@v0.10.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/vault/api/auth/aws@v0.10.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/vault/api +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.20.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/vault/api@v1.20.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/serf/coordinate +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/serf/coordinate@v0.10.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/serf/coordinate@v0.10.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/hcl/v2 +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and github.com/hashicorp/hcl/v2@v2.18.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2@v2.18.1 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/ext/customdecode@v2.18.1 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/ext/tryfunc@v2.18.1 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/gohcl@v2.18.1 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclparse@v2.18.1 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclsyntax@v2.18.1 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclwrite@v2.18.1 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/json@v2.18.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/hcl +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/hcl@v1.0.1-vault-7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/hcl@v1.0.1-vault-7 + + + +
      • +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/hcl/hcl/token@v1.0.1-vault-7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/golang-lru/simplelru +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/golang-lru/simplelru@v1.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/golang-lru/simplelru@v1.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-uuid +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-uuid@v1.0.3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-uuid@v1.0.3 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-sockaddr +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-sockaddr@v1.0.7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-sockaddr@v1.0.7 + + + +
      • +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-sockaddr/template@v1.0.7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/strutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/parseutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/parseutil@v0.2.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/parseutil@v0.2.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/awsutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-rootcerts +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-rootcerts@v1.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-rootcerts@v1.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-retryablehttp@v0.7.7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-retryablehttp@v0.7.7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-multierror +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-multierror@v1.1.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-immutable-radix +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-immutable-radix@v1.3.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-immutable-radix@v1.3.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-cleanhttp@v0.5.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-cleanhttp@v0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/errwrap +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/errwrap@v1.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/errwrap@v1.1.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/gosimple/slug@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/gosimple/slug@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/go-sql-driver/mysql +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and github.com/go-sql-driver/mysql@v1.9.3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/go-sql-driver/mysql@v1.9.3 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Validation of Integrity Check Value

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-git/go-git/v5/storage/filesystem +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/go-git/go-git/v5/storage/filesystem@v5.16.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/go-git/go-git/v5/storage/filesystem@v5.16.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.

    +

    Workaround

    +

    This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.

    +

    Remediation

    +

    Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Initialization

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.44.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + filippo.io/edwards25519 +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and filippo.io/edwards25519@v1.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + filippo.io/edwards25519@v1.1.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Initialization via the MultiScalarMult function when the receiver is not properly initialized. An attacker can cause invalid results or undefined behavior by invoking this function on an uninitialized or non-identity receiver.

    +

    Remediation

    +

    Upgrade filippo.io/edwards25519 to version 1.1.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9232

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: An application using the OpenSSL HTTP client API functions may + trigger an out-of-bounds read if the 'no_proxy' environment variable is set and + the host portion of the authority component of the HTTP URL is an IPv6 address.

    +

    Impact summary: An out-of-bounds read can trigger a crash which leads to + Denial of Service for an application.

    +

    The OpenSSL HTTP client API functions can be used directly by applications + but they are also used by the OCSP client functions and CMP (Certificate + Management Protocol) client implementation in OpenSSL. However the URLs used + by these implementations are unlikely to be controlled by an attacker.

    +

    In this vulnerable code the out of bounds read can only trigger a crash. + Furthermore the vulnerability requires an attacker-controlled URL to be + passed from an application to the OpenSSL function and the user has to have + a 'no_proxy' environment variable set. For the aforementioned reasons the + issue was assessed as Low severity.

    +

    The vulnerable code was introduced in the following patch releases: + 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the HTTP client implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.4-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9230

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: An application trying to decrypt CMS messages encrypted using + password based encryption can trigger an out-of-bounds read and write.

    +

    Impact summary: This out-of-bounds read may trigger a crash which leads to + Denial of Service for an application. The out-of-bounds write can cause + a memory corruption which can have various consequences including + a Denial of Service or Execution of attacker-supplied code.

    +

    Although the consequences of a successful exploit of this vulnerability + could be severe, the probability that the attacker would be able to + perform it is low. Besides, password based (PWRI) encryption support in CMS + messages is very rarely used. For that reason the issue was assessed as + Moderate severity according to our Security Policy.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.4-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9231

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: A timing side-channel which could potentially allow remote + recovery of the private key exists in the SM2 algorithm implementation on 64 bit + ARM platforms.

    +

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit + ARM platforms could allow recovering the private key by an attacker..

    +

    While remote key recovery over a network was not attempted by the reporter, + timing measurements revealed a timing signal which may allow such an attack.

    +

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so + this CVE is not relevant in most TLS contexts. However, given that it is + possible to add support for such certificates via a custom provider, coupled + with the fact that in such a custom provider context the private key may be + recoverable via remote timing measurements, we consider this to be a Moderate + severity issue.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as SM2 is not an approved algorithm.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.4-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-11187

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation + which can trigger a stack-based buffer overflow, invalid pointer or NULL + pointer dereference during MAC verification.

    +

    Impact summary: The stack buffer overflow or NULL pointer dereference may + cause a crash leading to Denial of Service for an application that parses + untrusted PKCS#12 files. The buffer overflow may also potentially enable + code execution depending on platform mitigations.

    +

    When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 + salt and keylength parameters from the file are used without validation. + If the value of keylength exceeds the size of the fixed stack buffer used + for the derived key (64 bytes), the key derivation will overflow the buffer. + The overflow length is attacker-controlled. Also, if the salt parameter is + not an OCTET STRING type this can lead to invalid or NULL pointer + dereference.

    +

    Exploiting this issue requires a user or application to process + a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted + PKCS#12 files in applications as they are usually used to store private + keys which are trusted by definition. For this reason the issue was assessed + as Moderate severity.

    +

    The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as + PKCS#12 processing is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue.

    +

    OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do + not support PBMAC1 in PKCS#12.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15469

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: The 'openssl dgst' command-line tool silently truncates input + data to 16MB when using one-shot signing algorithms and reports success instead + of an error.

    +

    Impact summary: A user signing or verifying files larger than 16MB with + one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire + file is authenticated while trailing data beyond 16MB remains unauthenticated.

    +

    When the 'openssl dgst' command is used with algorithms that only support + one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input + is buffered with a 16MB limit. If the input exceeds this limit, the tool + silently truncates to the first 16MB and continues without signaling an error, + contrary to what the documentation states. This creates an integrity gap where + trailing bytes can be modified without detection if both signing and + verification are performed using the same affected codepath.

    +

    The issue affects only the command-line tool behavior. Verifiers that process + the full message using library APIs will reject the signature, so the risk + primarily affects workflows that both sign and verify with the affected + 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and + library users are unaffected.

    +

    The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the + command-line tools are outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.5 and 3.6 are vulnerable to this issue.

    +

    OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-66199

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

    +

    Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

    +

    In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

    +

    This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

    +

    Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15468

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

    +

    Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

    +

    Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

    +

    As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

    +

    The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and openssl/libcrypto3@3.5.1-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + openssl/libcrypto3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + apk-tools/apk-tools@2.14.9-r2 + + apk-tools/libapk2@2.14.9-r2 + + openssl/libssl3@3.5.1-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-46394

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and busybox/busybox@1.37.0-r18 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/busybox@1.37.0-r18 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + alpine-baselayout/alpine-baselayout@3.7.0-r0 + + busybox/busybox-binsh@1.37.0-r18 + + busybox/busybox@1.37.0-r18 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/busybox-binsh@1.37.0-r18 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + alpine-baselayout/alpine-baselayout@3.7.0-r0 + + busybox/busybox-binsh@1.37.0-r18 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    +

    Remediation

    +

    Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-58251

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.44.0 and busybox/busybox@1.37.0-r18 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/busybox@1.37.0-r18 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + alpine-baselayout/alpine-baselayout@3.7.0-r0 + + busybox/busybox-binsh@1.37.0-r18 + + busybox/busybox@1.37.0-r18 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/busybox-binsh@1.37.0-r18 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + alpine-baselayout/alpine-baselayout@3.7.0-r0 + + busybox/busybox-binsh@1.37.0-r18 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.44.0 + + busybox/ssl_client@1.37.0-r18 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    +

    Remediation

    +

    Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html b/docs/snyk/master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html index 814aa58873..753e5c3002 100644 --- a/docs/snyk/master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html +++ b/docs/snyk/master/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -492,7 +492,7 @@

    Snyk test report

    -

    January 18th 2026, 12:25:25 am (UTC+00:00)

    +

    February 22nd 2026, 12:28:26 am (UTC+00:00)

    Scanned the following path: @@ -502,8 +502,8 @@
    -
    5 known vulnerabilities
    -
    42 vulnerable dependency paths
    +
    15 known vulnerabilities
    +
    142 vulnerable dependency paths
    19 dependencies
    @@ -521,6 +521,195 @@
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +

    CVE-2025-9230

    @@ -1095,6 +1284,1744 @@

    More about this vulnerability

    +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15468

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

    +

    Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

    +

    Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

    +

    As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

    +

    The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-66199

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

    +

    Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

    +

    In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

    +

    This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

    +

    Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    CVE-2024-58251

    diff --git a/docs/snyk/master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html b/docs/snyk/master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html index 61e0ac568e..65c15f7749 100644 --- a/docs/snyk/master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html +++ b/docs/snyk/master/public.ecr.aws_docker_library_redis_8.2.3-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -492,7 +492,7 @@

    Snyk test report

    -

    January 18th 2026, 12:25:32 am (UTC+00:00)

    +

    February 22nd 2026, 12:28:33 am (UTC+00:00)

    Scanned the following path: @@ -502,8 +502,8 @@
    -
    2 known vulnerabilities
    -
    10 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    22 dependencies
    @@ -520,241 +520,7 @@
    -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.22 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine and busybox/busybox@1.37.0-r19 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/ssl_client@1.37.0-r19 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.22 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.22 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine and busybox/busybox@1.37.0-r19 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/ssl_client@1.37.0-r19 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.22 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/master/quay.io_argoproj_argocd_latest.html b/docs/snyk/master/quay.io_argoproj_argocd_latest.html index 12d7d1ffb5..e6e26c3022 100644 --- a/docs/snyk/master/quay.io_argoproj_argocd_latest.html +++ b/docs/snyk/master/quay.io_argoproj_argocd_latest.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -492,7 +492,7 @@

    Snyk test report

    -

    January 18th 2026, 12:25:54 am (UTC+00:00)

    +

    February 22nd 2026, 12:28:54 am (UTC+00:00)

    Scanned the following paths: @@ -506,9 +506,9 @@
    -
    16 known vulnerabilities
    -
    54 vulnerable dependency paths
    -
    2318 dependencies
    +
    25 known vulnerabilities
    +
    64 vulnerable dependency paths
    +
    2333 dependencies
    @@ -516,6 +516,79 @@
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and go.opentelemetry.io/otel/sdk/resource@v1.39.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + go.opentelemetry.io/otel/sdk/resource@v1.39.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +

    Directory Traversal

    @@ -1014,6 +1087,453 @@

    More about this vulnerability

    +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff/v3 +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/r3labs/diff/v3@v3.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/r3labs/diff/v3@v3.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-version +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-version@v1.7.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-version@v1.7.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.8 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-retryablehttp@v0.7.8 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/helm/v3 /usr/local/bin/helm +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-multierror +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-cleanhttp@v0.5.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-cleanhttp@v0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/gosimple/slug@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/gosimple/slug@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Validation of Integrity Check Value

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-git/go-git/v5/storage/filesystem +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/go-git/go-git/v5/storage/filesystem@v5.14.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/go-git/go-git/v5/storage/filesystem@v5.14.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.

    +

    Workaround

    +

    This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.

    +

    Remediation

    +

    Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    Improper Encoding or Escaping of Output

    @@ -1080,7 +1600,7 @@ Introduced through: docker-image|quay.io/argoproj/argocd@latest - git-lfs@3.6.1-1 + git-lfs@3.6.1-1ubuntu0.1 git@1:2.51.0-1ubuntu1 @@ -1112,85 +1632,6 @@

    More about this vulnerability

    -
    -
    -

    Link Following

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.10 -
      • -
    • - Vulnerable module: - - git-lfs -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@latest and git-lfs@3.6.1-1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@latest - - git-lfs@3.6.1-1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream git-lfs package and not the git-lfs package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

    -

    Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.10 git-lfs.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    Algorithmic Complexity

    @@ -1239,7 +1680,7 @@ git@1:2.51.0-1ubuntu1 - expat/libexpat1@2.7.1-2 + expat/libexpat1@2.7.1-2ubuntu0.2 @@ -1564,6 +2005,165 @@

    More about this vulnerability

    +
    +
    +

    Improper Neutralization of Null Byte or NUL Character

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:25.10 +
      • +
    • + Vulnerable module: + + openssh/openssh-client +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:10.0p1-5ubuntu5 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + openssh/openssh-client@1:10.0p1-5ubuntu5 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

    +

    ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:25.10 openssh.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Failure to Sanitize Special Element

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:latest/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:25.10 +
      • +
    • + Vulnerable module: + + openssh/openssh-client +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:10.0p1-5ubuntu5 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + openssh/openssh-client@1:10.0p1-5ubuntu5 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

    +

    ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

    +

    Remediation

    +

    There is no fixed version for Ubuntu:25.10 openssh.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    Information Exposure

    @@ -1825,7 +2425,7 @@
    -

    CVE-2025-9086

    +

    Out-of-bounds Read

    @@ -2093,7 +2693,7 @@
    -

    CVE-2025-14524

    +

    Open Redirect

    @@ -2224,6 +2824,17 @@ + +
  • + Introduced through: + docker-image|quay.io/argoproj/argocd@latest + + tzdata@2025b-3ubuntu1.1 + + coreutils/gnu-coreutils@9.5-1ubuntu4 + + +
  • Introduced through: diff --git a/docs/snyk/v3.0.22/argocd-iac-install.html b/docs/snyk/v3.0.22/argocd-iac-install.html deleted file mode 100644 index 39c312dbc2..0000000000 --- a/docs/snyk/v3.0.22/argocd-iac-install.html +++ /dev/null @@ -1,2891 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:38:09 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • /argo-cd/manifests/install.yaml (Kubernetes)
      • -
    -
    - -
    -
    44 total issues
    -
    -
    -
    -
    - -
    - - - - - - -
    Project manifests/install.yaml
    Path /argo-cd/manifests/install.yaml
    Project Type Kubernetes
    -
    -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - high severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 17] - - rules[5] - - resources - -
      • - -
    • - Line number: 24296 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 10] - - rules[0] - - resources - -
      • - -
    • - Line number: 23976 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 11] - - rules[4] - - resources - -
      • - -
    • - Line number: 24064 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 12] - - rules[0] - - resources - -
      • - -
    • - Line number: 24092 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 13] - - rules[1] - - resources - -
      • - -
    • - Line number: 24122 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 13] - - rules[3] - - resources - -
      • - -
    • - Line number: 24140 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 14] - - rules[0] - - resources - -
      • - -
    • - Line number: 24158 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 15] - - rules[0] - - resources - -
      • - -
    • - Line number: 24180 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container could be running with outdated image

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-42 -
      • - -
    • Introduced through: - [DocId: 48] - - spec - - template - - spec - - initContainers[secret-init] - - imagePullPolicy - -
      • - -
    • - Line number: 25388 -
      • -
    - -
    - -

    Impact

    -

    The container may run with outdated or unauthorized image

    - -

    Remediation

    -

    Set `imagePullPolicy` attribute to `Always`

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container could be running with outdated image

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-42 -
      • - -
    • Introduced through: - [DocId: 49] - - spec - - template - - spec - - initContainers[copyutil] - - imagePullPolicy - -
      • - -
    • - Line number: 25707 -
      • -
    - -
    - -

    Impact

    -

    The container may run with outdated or unauthorized image

    - -

    Remediation

    -

    Set `imagePullPolicy` attribute to `Always`

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 45] - - input - - spec - - template - - spec - - containers[argocd-applicationset-controller] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 24883 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 46] - - input - - spec - - template - - spec - - initContainers[copyutil] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 25184 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 46] - - input - - spec - - template - - spec - - containers[dex] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 25132 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 47] - - input - - spec - - template - - spec - - containers[argocd-notifications-controller] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 25246 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 48] - - input - - spec - - template - - spec - - containers[redis] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 25359 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 48] - - input - - spec - - template - - spec - - initContainers[secret-init] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 25383 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 49] - - input - - spec - - template - - spec - - initContainers[copyutil] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 25707 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 49] - - input - - spec - - template - - spec - - containers[argocd-repo-server] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 25442 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 50] - - input - - spec - - template - - spec - - containers[argocd-server] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 25794 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 51] - - input - - spec - - template - - spec - - containers[argocd-application-controller] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 26204 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running with multiple open ports

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-36 -
      • - -
    • Introduced through: - [DocId: 46] - - spec - - template - - spec - - containers[dex] - - ports - -
      • - -
    • - Line number: 25164 -
      • -
    - -
    - -

    Impact

    -

    Increases the attack surface of the application and the container.

    - -

    Remediation

    -

    Reduce `ports` count to 2

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without liveness probe

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-41 -
      • - -
    • Introduced through: - [DocId: 45] - - spec - - template - - spec - - containers[argocd-applicationset-controller] - - livenessProbe - -
      • - -
    • - Line number: 24883 -
      • -
    - -
    - -

    Impact

    -

    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

    - -

    Remediation

    -

    Add `livenessProbe` attribute

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without liveness probe

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-41 -
      • - -
    • Introduced through: - [DocId: 46] - - spec - - template - - spec - - containers[dex] - - livenessProbe - -
      • - -
    • - Line number: 25132 -
      • -
    - -
    - -

    Impact

    -

    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

    - -

    Remediation

    -

    Add `livenessProbe` attribute

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without liveness probe

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-41 -
      • - -
    • Introduced through: - [DocId: 48] - - spec - - template - - spec - - containers[redis] - - livenessProbe - -
      • - -
    • - Line number: 25359 -
      • -
    - -
    - -

    Impact

    -

    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

    - -

    Remediation

    -

    Add `livenessProbe` attribute

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 45] - - input - - spec - - template - - spec - - containers[argocd-applicationset-controller] - - resources - - limits - - memory - -
      • - -
    • - Line number: 24883 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 46] - - input - - spec - - template - - spec - - containers[dex] - - resources - - limits - - memory - -
      • - -
    • - Line number: 25132 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 46] - - input - - spec - - template - - spec - - initContainers[copyutil] - - resources - - limits - - memory - -
      • - -
    • - Line number: 25184 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 47] - - input - - spec - - template - - spec - - containers[argocd-notifications-controller] - - resources - - limits - - memory - -
      • - -
    • - Line number: 25246 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 48] - - input - - spec - - template - - spec - - containers[redis] - - resources - - limits - - memory - -
      • - -
    • - Line number: 25359 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 48] - - input - - spec - - template - - spec - - initContainers[secret-init] - - resources - - limits - - memory - -
      • - -
    • - Line number: 25383 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 49] - - input - - spec - - template - - spec - - initContainers[copyutil] - - resources - - limits - - memory - -
      • - -
    • - Line number: 25707 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 49] - - input - - spec - - template - - spec - - containers[argocd-repo-server] - - resources - - limits - - memory - -
      • - -
    • - Line number: 25442 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 50] - - input - - spec - - template - - spec - - containers[argocd-server] - - resources - - limits - - memory - -
      • - -
    • - Line number: 25794 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 51] - - input - - spec - - template - - spec - - containers[argocd-application-controller] - - resources - - limits - - memory - -
      • - -
    • - Line number: 26204 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 45] - - input - - spec - - template - - spec - - containers[argocd-applicationset-controller] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 25054 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 46] - - input - - spec - - template - - spec - - initContainers[copyutil] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 25192 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 46] - - input - - spec - - template - - spec - - containers[dex] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 25167 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 47] - - input - - spec - - template - - spec - - containers[argocd-notifications-controller] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 25291 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 48] - - input - - spec - - template - - spec - - containers[redis] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 25376 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 48] - - input - - spec - - template - - spec - - initContainers[secret-init] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 25390 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 49] - - input - - spec - - template - - spec - - initContainers[copyutil] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 25714 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 49] - - input - - spec - - template - - spec - - containers[argocd-repo-server] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 25680 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 50] - - input - - spec - - template - - spec - - containers[argocd-server] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 26103 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 51] - - input - - spec - - template - - spec - - containers[argocd-application-controller] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 26473 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -
    - -
    - - - diff --git a/docs/snyk/v3.0.22/argocd-iac-namespace-install.html b/docs/snyk/v3.0.22/argocd-iac-namespace-install.html deleted file mode 100644 index 92e8a6bc74..0000000000 --- a/docs/snyk/v3.0.22/argocd-iac-namespace-install.html +++ /dev/null @@ -1,2845 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:38:20 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • /argo-cd/manifests/namespace-install.yaml (Kubernetes)
      • -
    -
    - -
    -
    43 total issues
    -
    -
    -
    -
    - -
    - - - - - - -
    Project manifests/namespace-install.yaml
    Path /argo-cd/manifests/namespace-install.yaml
    Project Type Kubernetes
    -
    -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 7] - - rules[0] - - resources - -
      • - -
    • - Line number: 77 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 8] - - rules[4] - - resources - -
      • - -
    • - Line number: 165 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 9] - - rules[0] - - resources - -
      • - -
    • - Line number: 193 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 10] - - rules[1] - - resources - -
      • - -
    • - Line number: 223 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 10] - - rules[3] - - resources - -
      • - -
    • - Line number: 241 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 11] - - rules[0] - - resources - -
      • - -
    • - Line number: 259 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Role or ClusterRole with dangerous permissions

    -
    - -
    - medium severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-47 -
      • - -
    • Introduced through: - [DocId: 12] - - rules[0] - - resources - -
      • - -
    • - Line number: 281 -
      • -
    - -
    - -

    Impact

    -

    Using this role grants dangerous permissions. For a ClusterRole this would be considered high severity.

    - -

    Remediation

    -

    Consider removing these permissions

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container could be running with outdated image

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-42 -
      • - -
    • Introduced through: - [DocId: 39] - - spec - - template - - spec - - initContainers[secret-init] - - imagePullPolicy - -
      • - -
    • - Line number: 1275 -
      • -
    - -
    - -

    Impact

    -

    The container may run with outdated or unauthorized image

    - -

    Remediation

    -

    Set `imagePullPolicy` attribute to `Always`

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container could be running with outdated image

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-42 -
      • - -
    • Introduced through: - [DocId: 40] - - spec - - template - - spec - - initContainers[copyutil] - - imagePullPolicy - -
      • - -
    • - Line number: 1594 -
      • -
    - -
    - -

    Impact

    -

    The container may run with outdated or unauthorized image

    - -

    Remediation

    -

    Set `imagePullPolicy` attribute to `Always`

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 36] - - input - - spec - - template - - spec - - containers[argocd-applicationset-controller] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 770 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 37] - - input - - spec - - template - - spec - - initContainers[copyutil] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 1071 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 37] - - input - - spec - - template - - spec - - containers[dex] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 1019 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 38] - - input - - spec - - template - - spec - - containers[argocd-notifications-controller] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 1133 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 39] - - input - - spec - - template - - spec - - containers[redis] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 1246 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 39] - - input - - spec - - template - - spec - - initContainers[secret-init] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 1270 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 40] - - input - - spec - - template - - spec - - initContainers[copyutil] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 1594 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 40] - - input - - spec - - template - - spec - - containers[argocd-repo-server] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 1329 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 41] - - input - - spec - - template - - spec - - containers[argocd-server] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 1681 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container has no CPU limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-5 -
      • - -
    • Introduced through: - [DocId: 42] - - input - - spec - - template - - spec - - containers[argocd-application-controller] - - resources - - limits - - cpu - -
      • - -
    • - Line number: 2091 -
      • -
    - -
    - -

    Impact

    -

    CPU limits can prevent containers from consuming valuable compute time for no benefit (e.g. inefficient code) that might lead to unnecessary costs. It is advisable to also configure CPU requests to ensure application stability.

    - -

    Remediation

    -

    Add `resources.limits.cpu` field with required CPU limit value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running with multiple open ports

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-36 -
      • - -
    • Introduced through: - [DocId: 37] - - spec - - template - - spec - - containers[dex] - - ports - -
      • - -
    • - Line number: 1051 -
      • -
    - -
    - -

    Impact

    -

    Increases the attack surface of the application and the container.

    - -

    Remediation

    -

    Reduce `ports` count to 2

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without liveness probe

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-41 -
      • - -
    • Introduced through: - [DocId: 36] - - spec - - template - - spec - - containers[argocd-applicationset-controller] - - livenessProbe - -
      • - -
    • - Line number: 770 -
      • -
    - -
    - -

    Impact

    -

    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

    - -

    Remediation

    -

    Add `livenessProbe` attribute

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without liveness probe

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-41 -
      • - -
    • Introduced through: - [DocId: 37] - - spec - - template - - spec - - containers[dex] - - livenessProbe - -
      • - -
    • - Line number: 1019 -
      • -
    - -
    - -

    Impact

    -

    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

    - -

    Remediation

    -

    Add `livenessProbe` attribute

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without liveness probe

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-41 -
      • - -
    • Introduced through: - [DocId: 39] - - spec - - template - - spec - - containers[redis] - - livenessProbe - -
      • - -
    • - Line number: 1246 -
      • -
    - -
    - -

    Impact

    -

    Kubernetes will not be able to detect if application is able to service requests, and will not restart unhealthy pods

    - -

    Remediation

    -

    Add `livenessProbe` attribute

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 36] - - input - - spec - - template - - spec - - containers[argocd-applicationset-controller] - - resources - - limits - - memory - -
      • - -
    • - Line number: 770 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 37] - - input - - spec - - template - - spec - - containers[dex] - - resources - - limits - - memory - -
      • - -
    • - Line number: 1019 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 37] - - input - - spec - - template - - spec - - initContainers[copyutil] - - resources - - limits - - memory - -
      • - -
    • - Line number: 1071 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 38] - - input - - spec - - template - - spec - - containers[argocd-notifications-controller] - - resources - - limits - - memory - -
      • - -
    • - Line number: 1133 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 39] - - input - - spec - - template - - spec - - containers[redis] - - resources - - limits - - memory - -
      • - -
    • - Line number: 1246 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 39] - - input - - spec - - template - - spec - - initContainers[secret-init] - - resources - - limits - - memory - -
      • - -
    • - Line number: 1270 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 40] - - input - - spec - - template - - spec - - initContainers[copyutil] - - resources - - limits - - memory - -
      • - -
    • - Line number: 1594 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 40] - - input - - spec - - template - - spec - - containers[argocd-repo-server] - - resources - - limits - - memory - -
      • - -
    • - Line number: 1329 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 41] - - input - - spec - - template - - spec - - containers[argocd-server] - - resources - - limits - - memory - -
      • - -
    • - Line number: 1681 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container is running without memory limit

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-4 -
      • - -
    • Introduced through: - [DocId: 42] - - input - - spec - - template - - spec - - containers[argocd-application-controller] - - resources - - limits - - memory - -
      • - -
    • - Line number: 2091 -
      • -
    - -
    - -

    Impact

    -

    Containers without memory limits are more likely to be terminated when the node runs out of memory

    - -

    Remediation

    -

    Set `resources.limits.memory` value

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 36] - - input - - spec - - template - - spec - - containers[argocd-applicationset-controller] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 941 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 37] - - input - - spec - - template - - spec - - initContainers[copyutil] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 1079 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 37] - - input - - spec - - template - - spec - - containers[dex] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 1054 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 38] - - input - - spec - - template - - spec - - containers[argocd-notifications-controller] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 1178 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 39] - - input - - spec - - template - - spec - - containers[redis] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 1263 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 39] - - input - - spec - - template - - spec - - initContainers[secret-init] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 1277 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 40] - - input - - spec - - template - - spec - - initContainers[copyutil] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 1601 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 40] - - input - - spec - - template - - spec - - containers[argocd-repo-server] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 1567 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 41] - - input - - spec - - template - - spec - - containers[argocd-server] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 1990 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -

    Container's or Pod's UID could clash with host's UID

    -
    - -
    - low severity -
    - -
    - -
      -
    • - Public ID: SNYK-CC-K8S-11 -
      • - -
    • Introduced through: - [DocId: 42] - - input - - spec - - template - - spec - - containers[argocd-application-controller] - - securityContext - - runAsUser - -
      • - -
    • - Line number: 2360 -
      • -
    - -
    - -

    Impact

    -

    UID of the container processes could clash with host's UIDs and lead to unintentional authorization bypass

    - -

    Remediation

    -

    Set `securityContext.runAsUser` value to greater or equal than 10'000. SecurityContext can be set on both `pod` and `container` level. If both are set, then the container level takes precedence

    - - -
    -
    - -
    -

    More about this issue

    -
    - -
    -
    -
    - -
    - - - diff --git a/docs/snyk/v3.0.22/ghcr.io_dexidp_dex_v2.41.1.html b/docs/snyk/v3.0.22/ghcr.io_dexidp_dex_v2.41.1.html deleted file mode 100644 index 6d33a10cf9..0000000000 --- a/docs/snyk/v3.0.22/ghcr.io_dexidp_dex_v2.41.1.html +++ /dev/null @@ -1,3159 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:36:14 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • ghcr.io/dexidp/dex:v2.41.1/dexidp/dex (apk)
      • -
    • ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
      • -
    • ghcr.io/dexidp/dex:v2.41.1/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
      • -
    • ghcr.io/dexidp/dex:v2.41.1/dexidp/dex//usr/local/bin/dex (gomodules)
      • -
    -
    - -
    -
    23 known vulnerabilities
    -
    85 vulnerable dependency paths
    -
    969 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Incorrect Implementation of Authentication Algorithm

    -
    - -
    -
    - critical severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.24.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm when the key passed in the last call before a connection is established is assumed to be the key used for authentication. It is not necessarily the authentication key in use, and this allows attackers who can control the key cache by making their own carefully-timed connections to bypass authorization with subsequent legitimate ServerConfig.PublicKeyCallback callbacks.

    -

    Note: The assumed caching behavior of this callback is not documented and is therefore considered human error, but the project maintainers have observed reliance on it for authorization decisions in production. In fact, the assumption is negated in the documentation, which states "A call to this function does not guarantee that the key offered is in fact used to authenticate." The behavior after upgrading still allows the possibility of an attacker forcing their own key to be the one in the cache when the callback is invoked if the client is using a different authentication method such as PasswordCallback, KeyboardInteractiveCallback, or NoClientAuth. It is therefore recommended to rely on the return values of the connection itself, found in ServerConn.Permissions for further authorization steps.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.31.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Access of Resource Using Incompatible Type ('Type Confusion')

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.20 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.20 relevant fixed versions and status.

    -

    Issue summary: Applications performing certificate name checks (e.g., TLS - clients checking server certificates) may attempt to read an invalid memory - address resulting in abnormal termination of the application process.

    -

    Impact summary: Abnormal termination of an application can a cause a denial of - service.

    -

    Applications performing certificate name checks (e.g., TLS clients checking - server certificates) may attempt to read an invalid memory address when - comparing the expected name with an otherName subject alternative name of an - X.509 certificate. This may result in an exception that terminates the - application program.

    -

    Note that basic certificate chain validation (signatures, dates, ...) is not - affected, the denial of service can occur only when the application also - specifies an expected DNS name, Email address or IP address.

    -

    TLS servers rarely solicit client certificates, and even when they do, they - generally don't perform a name check against a reference identifier (expected - identity), but rather extract the presented identity after checking the - certificate chain. So TLS servers are generally not affected and the severity - of the issue is Moderate.

    -

    The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.20 openssl to version 3.3.2-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-26519

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.20 -
      • -
    • - Vulnerable module: - - musl/musl -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.41.1 and musl/musl@1.2.5-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - musl/musl@1.2.5-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - musl/musl@1.2.5-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - musl/musl@1.2.5-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - musl/musl-utils@1.2.5-r0 - - musl/musl@1.2.5-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libcrypto3@3.3.1-r3 - - musl/musl@1.2.5-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - musl/musl@1.2.5-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - zlib/zlib@1.3.1-r1 - - musl/musl@1.2.5-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - musl/musl-utils@1.2.5-r0 - - pax-utils/scanelf@1.3.7-r2 - - musl/musl@1.2.5-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - alpine-baselayout/alpine-baselayout@3.6.5-r0 - - busybox/busybox-binsh@1.36.1-r29 - - busybox/busybox@1.36.1-r29 - - musl/musl@1.2.5-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - musl/musl-utils@1.2.5-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream musl package and not the musl package as distributed by Alpine. - See How to fix? for Alpine:3.20 relevant fixed versions and status.

    -

    musl libc 0.9.13 through 1.2.5 before 1.2.6 has an out-of-bounds write vulnerability when an attacker can trigger iconv conversion of untrusted EUC-KR text to UTF-8.

    -

    Remediation

    -

    Upgrade Alpine:3.20 musl to version 1.2.5-r1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/oauth2/jws -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.21.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/oauth2/jws@v0.21.0 - - - -
      • -
    • - Introduced through: - github.com/dexidp/dex@* - - golang.org/x/oauth2/jws@v0.21.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.

    -

    Remediation

    -

    Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Server-side Request Forgery (SSRF)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http/httpproxy -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.26.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/net/http/httpproxy@v0.26.0 - - - -
      • -
    • - Introduced through: - github.com/dexidp/dex@* - - golang.org/x/net/http/httpproxy@v0.27.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function

    -

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.

    -

    Remediation

    -

    Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Denial of Service (DoS)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/dexidp/dex /usr/local/bin/dex -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/html -
      • - -
    • Introduced through: - - github.com/dexidp/dex@* and golang.org/x/net/html@v0.27.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/dexidp/dex@* - - golang.org/x/net/html@v0.27.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    -

    Affected versions of this package are vulnerable to Denial of Service (DoS) through the functions parseDoctype, htmlIntegrationPoint, inBodyIM and inTableIM due to inefficient usage of the method strings.ToLower combining with the == operator to convert strings to lowercase and then comparing them.

    -

    An attacker can cause the application to slow down significantly by crafting inputs that are processed non-linearly.

    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/net/html to version 0.33.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Handling of Unexpected Data Type

    -
    - -
    -
    - high severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh/agent -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.24.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh/agent@v0.24.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.

    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh/agent to version 0.43.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.24.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Asymmetric Resource Consumption (Amplification)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/golang-jwt/jwt/v5 -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/golang-jwt/jwt/v5@v5.2.1 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the parse.ParseUnverified function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the Authorization header.

    -

    Remediation

    -

    Upgrade github.com/golang-jwt/jwt/v5 to version 5.2.2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Insertion of Sensitive Information into Log File

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - google.golang.org/grpc/metadata -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and google.golang.org/grpc/metadata@v1.64.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - google.golang.org/grpc/metadata@v1.64.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    google.golang.org/grpc/metadata is a package that defines the structure of the metadata supported by the gRPC library

    -

    Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the form of gRPC metadata. If the metadata contains sensitive information an attacker can expose it.

    -

    Remediation

    -

    Upgrade google.golang.org/grpc/metadata to version 1.64.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Validation of Syntactic Correctness of Input

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/dexidp/dex /usr/local/bin/dex -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/html -
      • - -
    • Introduced through: - - github.com/dexidp/dex@* and golang.org/x/net/html@v0.27.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/dexidp/dex@* - - golang.org/x/net/html@v0.27.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    -

    Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the tokenizer in token.go, which incorrectly interprets tags as closing tags, allowing malicious input to be incorrectly processed and the DOM to be corrupted.

    -

    Details

    -

    Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

    -

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    -

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    -

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    -

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    -

    Types of attacks

    -

    There are a few methods by which XSS can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    -

    Affected environments

    -

    The following environments are susceptible to an XSS attack:

    -
      -
    • Web servers
      • -
    • Application servers
      • -
    • Web application environments
      • -
    -

    How to prevent

    -

    This section describes the top best practices designed to specifically protect your code:

    -
      -
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • -
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • -
    • Give users the option to disable client-side scripts.
      • -
    • Redirect invalid requests.
      • -
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • -
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • -
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/net/html to version 0.38.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Out-of-bounds Read

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh/agent -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.24.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh/agent@v0.24.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Out-of-bounds Read via the SSH Agent servers. An attacker can cause a panic and disrupt service availability by sending a specially crafted, malformed message that triggers an out-of-bounds read.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh/agent to version 0.45.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.24.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.24.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the SSH servers. An attacker can exhaust system memory resources by sending GSSAPI authentication requests with an excessive number of mechanisms specified.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.45.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Observable Discrepancy

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/vault/api/auth/userpass -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api/auth/userpass@v0.7.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/hashicorp/vault/api/auth/userpass@v0.7.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Observable Discrepancy via userpass auth method. An attacker can enumerate valid usernames on this auth method through brute force or a list of known usernames.

    -

    ##Workaround

    -

    This issue can be partially mitigated by using rate-limit quotas in Vault or enabling network level controls for rate limiting that restrict access to Vault. Customers may also consider enforcing login MFA for the userpass auth mounts.

    -

    Remediation

    -

    There is no fixed version for github.com/hashicorp/vault/api/auth/userpass.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.41.1/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/go-jose/go-jose/v4 -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/go-jose/go-jose/v4@v4.0.2 - - - -
      • -
    • - Introduced through: - github.com/dexidp/dex@* - - github.com/go-jose/go-jose/v4@v4.0.4 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of strings.Split to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of . characters.

    -

    Workaround

    -

    This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of . characters.

    -

    Remediation

    -

    Upgrade github.com/go-jose/go-jose/v4 to version 4.0.5 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9230

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.20 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.20 relevant fixed versions and status.

    -

    Issue summary: An application trying to decrypt CMS messages encrypted using - password based encryption can trigger an out-of-bounds read and write.

    -

    Impact summary: This out-of-bounds read may trigger a crash which leads to - Denial of Service for an application. The out-of-bounds write can cause - a memory corruption which can have various consequences including - a Denial of Service or Execution of attacker-supplied code.

    -

    Although the consequences of a successful exploit of this vulnerability - could be severe, the probability that the attacker would be able to - perform it is low. Besides, password based (PWRI) encryption support in CMS - messages is very rarely used. For that reason the issue was assessed as - Moderate severity according to our Security Policy.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the CMS implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.20 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9231

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.20 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.20 relevant fixed versions and status.

    -

    Issue summary: A timing side-channel which could potentially allow remote - recovery of the private key exists in the SM2 algorithm implementation on 64 bit - ARM platforms.

    -

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit - ARM platforms could allow recovering the private key by an attacker..

    -

    While remote key recovery over a network was not attempted by the reporter, - timing measurements revealed a timing signal which may allow such an attack.

    -

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so - this CVE is not relevant in most TLS contexts. However, given that it is - possible to add support for such certificates via a custom provider, coupled - with the fact that in such a custom provider context the private key may be - recoverable via remote timing measurements, we consider this to be a Moderate - severity issue.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as SM2 is not an approved algorithm.

    -

    Remediation

    -

    Upgrade Alpine:3.20 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9232

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.20 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.20 relevant fixed versions and status.

    -

    Issue summary: An application using the OpenSSL HTTP client API functions may - trigger an out-of-bounds read if the 'no_proxy' environment variable is set and - the host portion of the authority component of the HTTP URL is an IPv6 address.

    -

    Impact summary: An out-of-bounds read can trigger a crash which leads to - Denial of Service for an application.

    -

    The OpenSSL HTTP client API functions can be used directly by applications - but they are also used by the OCSP client functions and CMP (Certificate - Management Protocol) client implementation in OpenSSL. However the URLs used - by these implementations are unlikely to be controlled by an attacker.

    -

    In this vulnerable code the out of bounds read can only trigger a crash. - Furthermore the vulnerability requires an attacker-controlled URL to be - passed from an application to the OpenSSL function and the user has to have - a 'no_proxy' environment variable set. For the aforementioned reasons the - issue was assessed as Low severity.

    -

    The vulnerable code was introduced in the following patch releases: - 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the HTTP client implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.20 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-9143

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.20 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.20 relevant fixed versions and status.

    -

    Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted - explicit values for the field polynomial can lead to out-of-bounds memory reads - or writes.

    -

    Impact summary: Out of bound memory writes can lead to an application crash or - even a possibility of a remote code execution, however, in all the protocols - involving Elliptic Curve Cryptography that we're aware of, either only "named - curves" are supported, or, if explicit curve parameters are supported, they - specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent - problematic input values. Thus the likelihood of existence of a vulnerable - application is low.

    -

    In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, - so problematic inputs cannot occur in the context of processing X.509 - certificates. Any problematic use-cases would have to be using an "exotic" - curve encoding.

    -

    The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), - and various supporting BN_GF2m_*() functions.

    -

    Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, - that make it possible to represent invalid field polynomials with a zero - constant term, via the above or similar APIs, may terminate abruptly as a - result of reading or writing outside of array bounds. Remote code execution - cannot easily be ruled out.

    -

    The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.20 openssl to version 3.3.2-r3 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-13176

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.20 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.20 relevant fixed versions and status.

    -

    Issue summary: A timing side-channel which could potentially allow recovering - the private key exists in the ECDSA signature computation.

    -

    Impact summary: A timing side-channel in ECDSA signature computations - could allow recovering the private key by an attacker. However, measuring - the timing would require either local access to the signing application or - a very fast network connection with low latency.

    -

    There is a timing signal of around 300 nanoseconds when the top word of - the inverted ECDSA nonce value is zero. This can happen with significant - probability only for some of the supported elliptic curves. In particular - the NIST P-521 curve is affected. To be able to measure this leak, the attacker - process must either be located in the same physical computer or must - have a very fast network connection with low latency. For that reason - the severity of this vulnerability is Low.

    -

    The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.20 openssl to version 3.3.2-r2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-12797

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.20 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.41.1 and openssl/libcrypto3@3.3.1-r3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - openssl/libcrypto3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - apk-tools/apk-tools@2.14.4-r0 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - openssl/libssl3@3.3.1-r3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.20 relevant fixed versions and status.

    -

    Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a - server may fail to notice that the server was not authenticated, because - handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode - is set.

    -

    Impact summary: TLS and DTLS connections using raw public keys may be - vulnerable to man-in-middle attacks when server authentication failure is not - detected by clients.

    -

    RPKs are disabled by default in both TLS clients and TLS servers. The issue - only arises when TLS clients explicitly enable RPK use by the server, and the - server, likewise, enables sending of an RPK instead of an X.509 certificate - chain. The affected clients are those that then rely on the handshake to - fail when the server's RPK fails to match one of the expected public keys, - by setting the verification mode to SSL_VERIFY_PEER.

    -

    Clients that enable server-side raw public keys can still find out that raw - public key verification failed by calling SSL_get_verify_result(), and those - that do, and take appropriate action, are not affected. This issue was - introduced in the initial implementation of RPK support in OpenSSL 3.2.

    -

    The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.

    -

    Remediation

    -

    Upgrade Alpine:3.20 openssl to version 3.3.3-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.20 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.41.1 and busybox/busybox@1.36.1-r29 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/busybox@1.36.1-r29 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - alpine-baselayout/alpine-baselayout@3.6.5-r0 - - busybox/busybox-binsh@1.36.1-r29 - - busybox/busybox@1.36.1-r29 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/busybox-binsh@1.36.1-r29 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - alpine-baselayout/alpine-baselayout@3.6.5-r0 - - busybox/busybox-binsh@1.36.1-r29 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.20 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.20 busybox to version 1.36.1-r31 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.20 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.41.1 and busybox/busybox@1.36.1-r29 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/busybox@1.36.1-r29 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - alpine-baselayout/alpine-baselayout@3.6.5-r0 - - busybox/busybox-binsh@1.36.1-r29 - - busybox/busybox@1.36.1-r29 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/busybox-binsh@1.36.1-r29 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - alpine-baselayout/alpine-baselayout@3.6.5-r0 - - busybox/busybox-binsh@1.36.1-r29 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.41.1 - - busybox/ssl_client@1.36.1-r29 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.20 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.20 busybox to version 1.36.1-r31 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.0.22/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html b/docs/snyk/v3.0.22/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html deleted file mode 100644 index e21c8a9498..0000000000 --- a/docs/snyk/v3.0.22/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html +++ /dev/null @@ -1,1359 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:36:18 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy (apk)
      • -
    -
    - -
    -
    5 known vulnerabilities
    -
    42 vulnerable dependency paths
    -
    19 dependencies
    -
    -
    -
    -
    -
    - - - - - - - -
    Project docker-image|public.ecr.aws/docker/library/haproxy
    Path public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy
    Package Manager apk
    -
    -
    -
    -
    -

    CVE-2025-9230

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application trying to decrypt CMS messages encrypted using - password based encryption can trigger an out-of-bounds read and write.

    -

    Impact summary: This out-of-bounds read may trigger a crash which leads to - Denial of Service for an application. The out-of-bounds write can cause - a memory corruption which can have various consequences including - a Denial of Service or Execution of attacker-supplied code.

    -

    Although the consequences of a successful exploit of this vulnerability - could be severe, the probability that the attacker would be able to - perform it is low. Besides, password based (PWRI) encryption support in CMS - messages is very rarely used. For that reason the issue was assessed as - Moderate severity according to our Security Policy.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the CMS implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9231

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: A timing side-channel which could potentially allow remote - recovery of the private key exists in the SM2 algorithm implementation on 64 bit - ARM platforms.

    -

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit - ARM platforms could allow recovering the private key by an attacker..

    -

    While remote key recovery over a network was not attempted by the reporter, - timing measurements revealed a timing signal which may allow such an attack.

    -

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so - this CVE is not relevant in most TLS contexts. However, given that it is - possible to add support for such certificates via a custom provider, coupled - with the fact that in such a custom provider context the private key may be - recoverable via remote timing measurements, we consider this to be a Moderate - severity issue.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as SM2 is not an approved algorithm.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9232

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application using the OpenSSL HTTP client API functions may - trigger an out-of-bounds read if the 'no_proxy' environment variable is set and - the host portion of the authority component of the HTTP URL is an IPv6 address.

    -

    Impact summary: An out-of-bounds read can trigger a crash which leads to - Denial of Service for an application.

    -

    The OpenSSL HTTP client API functions can be used directly by applications - but they are also used by the OCSP client functions and CMP (Certificate - Management Protocol) client implementation in OpenSSL. However the URLs used - by these implementations are unlikely to be controlled by an attacker.

    -

    In this vulnerable code the out of bounds read can only trigger a crash. - Furthermore the vulnerability requires an attacker-controlled URL to be - passed from an application to the OpenSSL function and the user has to have - a 'no_proxy' environment variable set. For the aforementioned reasons the - issue was assessed as Low severity.

    -

    The vulnerable code was introduced in the following patch releases: - 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the HTTP client implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.0.22/public.ecr.aws_docker_library_redis_7.2.11-alpine.html b/docs/snyk/v3.0.22/public.ecr.aws_docker_library_redis_7.2.11-alpine.html deleted file mode 100644 index fad9e9039a..0000000000 --- a/docs/snyk/v3.0.22/public.ecr.aws_docker_library_redis_7.2.11-alpine.html +++ /dev/null @@ -1,754 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:36:24 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • public.ecr.aws/docker/library/redis:7.2.11-alpine/docker/library/redis (apk)
      • -
    • public.ecr.aws/docker/library/redis:7.2.11-alpine/tianon/gosu//usr/local/bin/gosu (gomodules)
      • -
    -
    - -
    -
    2 known vulnerabilities
    -
    10 vulnerable dependency paths
    -
    19 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and busybox/busybox@1.37.0-r13 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/ssl_client@1.37.0-r13 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and busybox/busybox@1.37.0-r13 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/ssl_client@1.37.0-r13 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.0.22/quay.io_argoproj_argocd_v3.0.22.html b/docs/snyk/v3.0.22/quay.io_argoproj_argocd_v3.0.22.html deleted file mode 100644 index e6087667d7..0000000000 --- a/docs/snyk/v3.0.22/quay.io_argoproj_argocd_v3.0.22.html +++ /dev/null @@ -1,3041 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:36:45 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • quay.io/argoproj/argocd:v3.0.22/argoproj/argocd/Dockerfile (deb)
      • -
    • quay.io/argoproj/argocd:v3.0.22/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.0.22//usr/local/bin/kustomize (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.0.22/helm/v3//usr/local/bin/helm (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.0.22/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
      • -
    -
    - -
    -
    23 known vulnerabilities
    -
    74 vulnerable dependency paths
    -
    2361 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Directory Traversal

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - tar -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and tar@1.35+dfsg-3build1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - tar@1.35+dfsg-3build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - dash@0.5.12-6ubuntu5 - - dpkg@1.22.6ubuntu6.5 - - tar@1.35+dfsg-3build1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 tar.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Directory Traversal

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - pam/libpam0g -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and pam/libpam0g@1.5.3-5ubuntu5.5 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - pam/libpam0g@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - shadow/login@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam0g@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - util-linux@2.39.3-9ubuntu6.4 - - pam/libpam0g@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam0g@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam-modules@1.5.3-5ubuntu5.5 - - pam/libpam0g@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam-modules@1.5.3-5ubuntu5.5 - - pam/libpam-modules-bin@1.5.3-5ubuntu5.5 - - pam/libpam0g@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - pam/libpam-modules-bin@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam-modules@1.5.3-5ubuntu5.5 - - pam/libpam-modules-bin@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - pam/libpam-modules@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - pam/libpam-runtime@1.5.3-5ubuntu5.5 - - pam/libpam-modules@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - shadow/login@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam-modules@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam-modules@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - pam/libpam-runtime@1.5.3-5ubuntu5.5 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - shadow/login@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam-runtime@1.5.3-5ubuntu5.5 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 pam.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Validation of Syntactic Correctness of Input

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/helm/v3 /usr/local/bin/helm -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/html -
      • - -
    • Introduced through: - - helm.sh/helm/v3@* and golang.org/x/net/html@v0.33.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - helm.sh/helm/v3@* - - golang.org/x/net/html@v0.33.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    -

    Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the tokenizer in token.go, which incorrectly interprets tags as closing tags, allowing malicious input to be incorrectly processed and the DOM to be corrupted.

    -

    Details

    -

    Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

    -

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    -

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    -

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    -

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    -

    Types of attacks

    -

    There are a few methods by which XSS can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    -

    Affected environments

    -

    The following environments are susceptible to an XSS attack:

    -
      -
    • Web servers
      • -
    • Application servers
      • -
    • Web application environments
      • -
    -

    How to prevent

    -

    This section describes the top best practices designed to specifically protect your code:

    -
      -
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • -
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • -
    • Give users the option to disable client-side scripts.
      • -
    • Redirect invalid requests.
      • -
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • -
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • -
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/net/html to version 0.38.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Verification of Cryptographic Signature

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - gnupg2/gpgv -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and gnupg2/gpgv@2.4.4-2ubuntu17.4 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpgv@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - gnupg2/gpgv@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/dirmngr@2.4.4-2ubuntu17.4 - - gnupg2/gpgconf@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg-agent@2.4.4-2ubuntu17.4 - - gnupg2/gpgconf@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg@2.4.4-2ubuntu17.4 - - gnupg2/gpgconf@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/dirmngr@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg-agent@2.4.4-2ubuntu17.4 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 gnupg2.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Encoding or Escaping of Output

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - git/git-man -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.0.22, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - git/git-man@1:2.43.0-1ubuntu7.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git-lfs@3.4.1-1ubuntu0.3 - - git@1:2.43.0-1ubuntu7.3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 git.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Link Following

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - git-lfs -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and git-lfs@3.4.1-1ubuntu0.3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git-lfs@3.4.1-1ubuntu0.3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream git-lfs package and not the git-lfs package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 git-lfs.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Arbitrary Code Injection

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - git-lfs -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and git-lfs@3.4.1-1ubuntu0.3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git-lfs@3.4.1-1ubuntu0.3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream git-lfs package and not the git-lfs package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 git-lfs.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Algorithmic Complexity

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - expat/libexpat1 -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.0.22, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - expat/libexpat1@2.6.1-2ubuntu0.3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 expat.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-56433

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - shadow/passwd -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - openssh/openssh-client@1:9.6p1-3ubuntu13.14 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - shadow/login@1:4.13+dfsg1-4ubuntu3.2 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 shadow.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Release of Invalid Pointer or Reference

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - patch -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and patch@2.7.6-7build3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - patch@2.7.6-7build3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 patch.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Double Free

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - patch -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and patch@2.7.6-7build3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - patch@2.7.6-7build3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 patch.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-41996

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - openssl/libssl3t64 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and openssl/libssl3t64@3.0.13-0ubuntu3.6 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - coreutils@9.4-3ubuntu6.1 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - libfido2/libfido2-1@1.14.0-1build3 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - openssh/openssh-client@1:9.6p1-3ubuntu13.14 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - ca-certificates@20240203 - - openssl@3.0.13-0ubuntu3.6 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - libssh/libssh-4@0.10.6-2ubuntu0.2 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 - - krb5/libkrb5-3@1.20.1-6ubuntu2.6 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 - - cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - openssl@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - ca-certificates@20240203 - - openssl@3.0.13-0ubuntu3.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 openssl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Information Exposure

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - libgcrypt20 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and libgcrypt20@1.10.3-2build1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - libgcrypt20@1.10.3-2build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/dirmngr@2.4.4-2ubuntu17.4 - - libgcrypt20@1.10.3-2build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg@2.4.4-2ubuntu17.4 - - libgcrypt20@1.10.3-2build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg-agent@2.4.4-2ubuntu17.4 - - libgcrypt20@1.10.3-2build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - apt/libapt-pkg6.0t64@2.8.3 - - libgcrypt20@1.10.3-2build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - gnupg2/gpgv@2.4.4-2ubuntu17.4 - - libgcrypt20@1.10.3-2build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg@2.4.4-2ubuntu17.4 - - gnupg2/gpgconf@2.4.4-2ubuntu17.4 - - libgcrypt20@1.10.3-2build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam-modules@1.5.3-5ubuntu5.5 - - systemd/libsystemd0@255.4-1ubuntu8.12 - - libgcrypt20@1.10.3-2build1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 libgcrypt20.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Out-of-bounds Write

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - gnupg2/gpgv -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and gnupg2/gpgv@2.4.4-2ubuntu17.4 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpgv@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - apt@2.8.3 - - gnupg2/gpgv@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/dirmngr@2.4.4-2ubuntu17.4 - - gnupg2/gpgconf@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg-agent@2.4.4-2ubuntu17.4 - - gnupg2/gpgconf@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg@2.4.4-2ubuntu17.4 - - gnupg2/gpgconf@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/dirmngr@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg@2.4.4-2ubuntu17.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - gnupg2/gpg-agent@2.4.4-2ubuntu17.4 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 gnupg2.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - glibc/libc-bin -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and glibc/libc-bin@2.39-0ubuntu8.6 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - glibc/libc-bin@2.39-0ubuntu8.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - glibc/libc6@2.39-0ubuntu8.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 glibc.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9086

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.0.22, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -
      -
    1. A cookie is set using the secure keyword for https://target
      2. -
    2. curl is redirected to or otherwise made to speak with http://target (same - hostname, but using clear text HTTP) using the same cookie set
      3. -
    3. The same cookie name is set - but with just a slash as path (path=\&#34;/\&#34;,). - Since this site is not secure, the cookie should just be ignored.
      4. -
    4. A bug in the path comparison logic makes curl read outside a heap buffer - boundary
      5. -
    -

    The bug either causes a crash or it potentially makes the comparison come to - the wrong conclusion and lets the clear-text site override the contents of the - secure cookie, contrary to expectations and depending on the memory contents - immediately following the single-byte allocation that holds the path.

    -

    The presumed and correct behavior would be to plainly ignore the second set of - the cookie since it was already set as secure on a secure host so overriding - it on an insecure host should not be okay.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-10148

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.0.22, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    curl's websocket code did not update the 32 bit mask pattern for each new - outgoing frame as the specification says. Instead it used a fixed mask that - persisted and was used throughout the entire connection.

    -

    A predictable mask pattern allows for a malicious server to induce traffic - between the two communicating parties that could be interpreted by an involved - proxy (configured or transparent) as genuine, real, HTTP traffic with content - and thereby poison its cache. That cached poisoned content could then be - served to all users of that proxy.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-15224

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.0.22, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    When doing SSH-based transfers using either SCP or SFTP, and asked to do - public key authentication, curl would wrongly still ask and authenticate using - a locally running SSH agent.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-15079

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.0.22, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    When doing SSH-based transfers using either SCP or SFTP, and setting the - known_hosts file, libcurl could still mistakenly accept connecting to hosts - not present in the specified file if they were added as recognized in the - libssh global known_hosts file.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-14819

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.0.22, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    When doing TLS related transfers with reused easy or multi handles and - altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally - reuse a CA store cached in memory for which the partial chain option was - reversed. Contrary to the user's wishes and expectations. This could make - libcurl find and accept a trust chain that it otherwise would not.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-14524

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.0.22, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer - performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, - POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new - target host.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-0167

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.0.22, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    When asked to use a .netrc file for credentials and to follow HTTP - redirects, curl could leak the password used for the first host to the - followed-to host under certain circumstances.

    -

    This flaw only manifests itself if the netrc file has a default entry that - omits both login and password. A rare circumstance.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Input Validation

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.0.22/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - coreutils -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.0.22 and coreutils@9.4-3ubuntu6.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.0.22 - - coreutils@9.4-3ubuntu6.1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 coreutils.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.0.22/redis_7.2.11-alpine.html b/docs/snyk/v3.0.22/redis_7.2.11-alpine.html deleted file mode 100644 index 8073af1ef2..0000000000 --- a/docs/snyk/v3.0.22/redis_7.2.11-alpine.html +++ /dev/null @@ -1,754 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:36:51 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • redis:7.2.11-alpine (apk)
      • -
    • redis:7.2.11-alpine/tianon/gosu//usr/local/bin/gosu (gomodules)
      • -
    -
    - -
    -
    2 known vulnerabilities
    -
    10 vulnerable dependency paths
    -
    19 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|redis@7.2.11-alpine and busybox/busybox@1.37.0-r13 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|redis@7.2.11-alpine - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.2.11-alpine - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.2.11-alpine - - busybox/ssl_client@1.37.0-r13 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|redis@7.2.11-alpine and busybox/busybox@1.37.0-r13 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|redis@7.2.11-alpine - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.2.11-alpine - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|redis@7.2.11-alpine - - busybox/ssl_client@1.37.0-r13 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.1.11/argocd-test.html b/docs/snyk/v3.1.11/argocd-test.html deleted file mode 100644 index 773b433b6f..0000000000 --- a/docs/snyk/v3.1.11/argocd-test.html +++ /dev/null @@ -1,1424 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:33:30 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • /argo-cd/argoproj/argo-cd/v3/go.mod (gomodules)
      • -
    • /argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)
      • -
    • /argo-cd/ui/yarn.lock (yarn)
      • -
    -
    - -
    -
    7 known vulnerabilities
    -
    11 vulnerable dependency paths
    -
    2105 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Predictable Value Range from Previous Values

    -
    - -
    -
    - critical severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - form-data -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, superagent@8.1.2 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - form-data@4.0.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Predictable Value Range from Previous Values via the boundary value, which uses Math.random(). An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution.

    -

    Remediation

    -

    Upgrade form-data to version 2.5.4, 3.0.4, 4.0.4 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - qs -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, superagent@8.1.2 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - qs@6.11.0 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - formidable@2.1.2 - - qs@6.11.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    qs is a querystring parser that supports nesting and arrays, with a depth limit.

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can exhaust server memory and cause application unavailability by submitting a large number of bracket notation parameters - like a[]=1&a[]=2 - in a single HTTP request.

    -

    PoC

    - 
    
-        const qs = require('qs');
-        const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
-        const result = qs.parse(attack, { arrayLimit: 100 });
-        console.log(result.a.length);  // Output: 10000 (should be max 100)
-
    -

    Remediation

    -

    Upgrade qs to version 6.14.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Prototype Pollution

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - min-document -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, react-hot-loader@3.1.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - react-hot-loader@3.1.3 - - global@4.4.0 - - min-document@2.19.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Prototype Pollution via the removeAttributeNS function. An attacker can manipulate the prototype chain of JavaScript objects, potentially causing a denial-of-service attack by supplying malicious input that targets the __proto__ property during namespace attribute removal.

    -

    Notes:

    -

    This vulnerability is only exploitable if user input is passed without sanitization to the affected functions. The PoC has been validated as a theoretical vector, and a fixed version has been released.

    -

    Details

    -

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    -

    There are two main ways in which the pollution of prototypes occurs:

    -
      -

    • Unsafe Object recursive merge

      -
      • -

    • Property definition by path

      -
      • -
    -

    Unsafe Object recursive merge

    -

    The logic of a vulnerable recursive merge function follows the following high-level model:

    - 
    merge (target, source)
-        
-          foreach property of source
-        
-            if property exists and is an object on both the target and the source
-        
-              merge(target[property], source[property])
-        
-            else
-        
-              target[property] = source[property]
-
    -
    - -

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    -

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    -

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    -

    Property definition by path

    -

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    -

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    -

    Types of attacks

    -

    There are a few methods by which Prototype Pollution can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    -

    Affected environments

    -

    The following environments are susceptible to a Prototype Pollution attack:

    -
      -

    • Application server

      -
      • -

    • Web server

      -
      • -

    • Web browser

      -
      • -
    -

    How to prevent

    -
      -

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      -
      2. -

    2. Require schema validation of JSON input.

      -
      3. -

    3. Avoid using unsafe recursive merge functions.

      -
      4. -

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      -
      5. -

    5. As a best practice use Map instead of Object.

      -
      6. -
    -

    For more information on this vulnerability type:

    -

    Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    -

    Remediation

    -

    Upgrade min-document to version 2.19.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Prototype Pollution

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - js-yaml -
      • - -
    • Introduced through: - - argo-cd-ui@1.0.0 and js-yaml@4.1.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - js-yaml@4.1.0 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.4.0 - - @redocly/openapi-core@1.30.0 - - js-yaml@4.1.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    js-yaml is a human-friendly data serialization language.

    -

    Affected versions of this package are vulnerable to Prototype Pollution via the merge function. An attacker can alter object prototypes by supplying specially crafted YAML documents containing __proto__ properties. This can lead to unexpected behavior or security issues in applications that process untrusted YAML input.

    -

    Workaround

    -

    This vulnerability can be mitigated by running the server with node --disable-proto=delete or by using Deno, which has pollution protection enabled by default.

    -

    Details

    -

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    -

    There are two main ways in which the pollution of prototypes occurs:

    -
      -

    • Unsafe Object recursive merge

      -
      • -

    • Property definition by path

      -
      • -
    -

    Unsafe Object recursive merge

    -

    The logic of a vulnerable recursive merge function follows the following high-level model:

    - 
    merge (target, source)
-        
-          foreach property of source
-        
-            if property exists and is an object on both the target and the source
-        
-              merge(target[property], source[property])
-        
-            else
-        
-              target[property] = source[property]
-
    -
    - -

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    -

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    -

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    -

    Property definition by path

    -

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    -

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    -

    Types of attacks

    -

    There are a few methods by which Prototype Pollution can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    -

    Affected environments

    -

    The following environments are susceptible to a Prototype Pollution attack:

    -
      -

    • Application server

      -
      • -

    • Web server

      -
      • -

    • Web browser

      -
      • -
    -

    How to prevent

    -
      -

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      -
      2. -

    2. Require schema validation of JSON input.

      -
      3. -

    3. Avoid using unsafe recursive merge functions.

      -
      4. -

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      -
      5. -

    5. As a best practice use Map instead of Object.

      -
      6. -
    -

    For more information on this vulnerability type:

    -

    Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    -

    Remediation

    -

    Upgrade js-yaml to version 3.14.2, 4.1.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Regular Expression Denial of Service (ReDoS)

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - foundation-sites -
      • - -
    • Introduced through: - - argo-cd-ui@1.0.0 and foundation-sites@6.8.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - foundation-sites@6.8.1 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - foundation-sites@6.8.1 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    foundation-sites is a responsive front-end framework

    -

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient backtracking in the regular expressions used in URL forms.

    -

    PoC

    - 
    https://www.''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    -

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    -

    Let’s take the following regular expression as an example:

    - 
    regex = /A(B|C+)+D/
-
    -

    This regular expression accomplishes the following:

    -
      -
    • A The string must start with the letter 'A'
      • -
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • -
    • D Finally, we ensure this section of the string ends with a 'D'
      • -
    -

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    -

    It most cases, it doesn't take very long for a regex engine to find a match:

    - 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
    -

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    -

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    -

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    -
      -
    1. CCC
      2. -
    2. CC+C
      3. -
    3. C+CC
      4. -
    4. C+C+C.
      5. -
    -

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    -

    From there, the number of steps the engine must use to validate a string just continues to grow.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    -

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    -

    Remediation

    -

    There is no fixed version for foundation-sites.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Insecure Randomness

    -
    - -
    -
    - low severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - formidable -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, superagent@8.1.2 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - formidable@2.1.2 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Insecure Randomness due to its use of the hexoid() function in the generation of fingerprint IDs.

    -

    Remediation

    -

    Upgrade formidable to version 2.1.3, 3.5.3 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Regular Expression Denial of Service (ReDoS)

    -
    - -
    -
    - low severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - brace-expansion -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, minimatch@3.1.2 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - minimatch@3.1.2 - - brace-expansion@1.1.11 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.4.0 - - @redocly/openapi-core@1.30.0 - - minimatch@5.1.6 - - brace-expansion@2.0.1 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    brace-expansion is a Brace expansion as known from sh/bash

    -

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the expand() function, which is prone to catastrophic backtracking on very long malicious inputs.

    -

    PoC

    - 
    import index from "./index.js";
-        
-        let str = "{a}" + ",".repeat(100000) + "\u0000";
-        
-        let startTime = performance.now();
-        
-        const result = index(str);
-        
-        let endTime = performance.now();
-        
-        let timeTaken = endTime - startTime;
-        
-        console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`);
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    -

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    -

    Let’s take the following regular expression as an example:

    - 
    regex = /A(B|C+)+D/
-
    -

    This regular expression accomplishes the following:

    -
      -
    • A The string must start with the letter 'A'
      • -
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • -
    • D Finally, we ensure this section of the string ends with a 'D'
      • -
    -

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    -

    It most cases, it doesn't take very long for a regex engine to find a match:

    - 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
    -

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    -

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    -

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    -
      -
    1. CCC
      2. -
    2. CC+C
      3. -
    3. C+CC
      4. -
    4. C+C+C.
      5. -
    -

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    -

    From there, the number of steps the engine must use to validate a string just continues to grow.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    -

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    -

    Remediation

    -

    Upgrade brace-expansion to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.1.11/ghcr.io_dexidp_dex_v2.43.0.html b/docs/snyk/v3.1.11/ghcr.io_dexidp_dex_v2.43.0.html deleted file mode 100644 index 822c09f1c9..0000000000 --- a/docs/snyk/v3.1.11/ghcr.io_dexidp_dex_v2.43.0.html +++ /dev/null @@ -1,1993 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:33:38 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex (apk)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/dex (gomodules)
      • -
    -
    - -
    -
    15 known vulnerabilities
    -
    41 vulnerable dependency paths
    -
    1131 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/oauth2/jws -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.24.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/oauth2/jws@v0.24.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.

    -

    Remediation

    -

    Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Server-side Request Forgery (SSRF)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http/httpproxy -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.32.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/net/http/httpproxy@v0.32.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function

    -

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.

    -

    Remediation

    -

    Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Handling of Unexpected Data Type

    -
    - -
    -
    - high severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh/agent -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh/agent@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.

    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh/agent to version 0.43.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Asymmetric Resource Consumption (Amplification)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/golang-jwt/jwt/v5 -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/golang-jwt/jwt/v5@v5.2.1 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the parse.ParseUnverified function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the Authorization header.

    -

    Remediation

    -

    Upgrade github.com/golang-jwt/jwt/v5 to version 5.2.2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Out-of-bounds Read

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh/agent -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh/agent@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Out-of-bounds Read via the SSH Agent servers. An attacker can cause a panic and disrupt service availability by sending a specially crafted, malformed message that triggers an out-of-bounds read.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh/agent to version 0.45.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the SSH servers. An attacker can exhaust system memory resources by sending GSSAPI authentication requests with an excessive number of mechanisms specified.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.45.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Observable Discrepancy

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/vault/api/auth/userpass -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api/auth/userpass@v0.8.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/hashicorp/vault/api/auth/userpass@v0.8.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Observable Discrepancy via userpass auth method. An attacker can enumerate valid usernames on this auth method through brute force or a list of known usernames.

    -

    ##Workaround

    -

    This issue can be partially mitigated by using rate-limit quotas in Vault or enabling network level controls for rate limiting that restrict access to Vault. Customers may also consider enforcing login MFA for the userpass auth mounts.

    -

    Remediation

    -

    There is no fixed version for github.com/hashicorp/vault/api/auth/userpass.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/go-jose/go-jose/v4 -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/go-jose/go-jose/v4@v4.0.2 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of strings.Split to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of . characters.

    -

    Workaround

    -

    This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of . characters.

    -

    Remediation

    -

    Upgrade github.com/go-jose/go-jose/v4 to version 4.0.5 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9230

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application trying to decrypt CMS messages encrypted using - password based encryption can trigger an out-of-bounds read and write.

    -

    Impact summary: This out-of-bounds read may trigger a crash which leads to - Denial of Service for an application. The out-of-bounds write can cause - a memory corruption which can have various consequences including - a Denial of Service or Execution of attacker-supplied code.

    -

    Although the consequences of a successful exploit of this vulnerability - could be severe, the probability that the attacker would be able to - perform it is low. Besides, password based (PWRI) encryption support in CMS - messages is very rarely used. For that reason the issue was assessed as - Moderate severity according to our Security Policy.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the CMS implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9231

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: A timing side-channel which could potentially allow remote - recovery of the private key exists in the SM2 algorithm implementation on 64 bit - ARM platforms.

    -

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit - ARM platforms could allow recovering the private key by an attacker..

    -

    While remote key recovery over a network was not attempted by the reporter, - timing measurements revealed a timing signal which may allow such an attack.

    -

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so - this CVE is not relevant in most TLS contexts. However, given that it is - possible to add support for such certificates via a custom provider, coupled - with the fact that in such a custom provider context the private key may be - recoverable via remote timing measurements, we consider this to be a Moderate - severity issue.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as SM2 is not an approved algorithm.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9232

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application using the OpenSSL HTTP client API functions may - trigger an out-of-bounds read if the 'no_proxy' environment variable is set and - the host portion of the authority component of the HTTP URL is an IPv6 address.

    -

    Impact summary: An out-of-bounds read can trigger a crash which leads to - Denial of Service for an application.

    -

    The OpenSSL HTTP client API functions can be used directly by applications - but they are also used by the OCSP client functions and CMP (Certificate - Management Protocol) client implementation in OpenSSL. However the URLs used - by these implementations are unlikely to be controlled by an attacker.

    -

    In this vulnerable code the out of bounds read can only trigger a crash. - Furthermore the vulnerability requires an attacker-controlled URL to be - passed from an application to the OpenSSL function and the user has to have - a 'no_proxy' environment variable set. For the aforementioned reasons the - issue was assessed as Low severity.

    -

    The vulnerable code was introduced in the following patch releases: - 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the HTTP client implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Synchronous Access of Remote Resource without Timeout

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/vault/api -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/hashicorp/vault/api@v1.15.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the rekey and recovery key operations. An attacker can disrupt service availability by triggering uncontrolled cancellation actions during these processes, which can lead to denial of service.

    -

    Remediation

    -

    Upgrade github.com/hashicorp/vault/api to version 1.20.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.1.11/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html b/docs/snyk/v3.1.11/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html deleted file mode 100644 index 61860b1fbe..0000000000 --- a/docs/snyk/v3.1.11/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html +++ /dev/null @@ -1,1359 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:33:43 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy (apk)
      • -
    -
    - -
    -
    5 known vulnerabilities
    -
    42 vulnerable dependency paths
    -
    19 dependencies
    -
    -
    -
    -
    -
    - - - - - - - -
    Project docker-image|public.ecr.aws/docker/library/haproxy
    Path public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy
    Package Manager apk
    -
    -
    -
    -
    -

    CVE-2025-9230

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application trying to decrypt CMS messages encrypted using - password based encryption can trigger an out-of-bounds read and write.

    -

    Impact summary: This out-of-bounds read may trigger a crash which leads to - Denial of Service for an application. The out-of-bounds write can cause - a memory corruption which can have various consequences including - a Denial of Service or Execution of attacker-supplied code.

    -

    Although the consequences of a successful exploit of this vulnerability - could be severe, the probability that the attacker would be able to - perform it is low. Besides, password based (PWRI) encryption support in CMS - messages is very rarely used. For that reason the issue was assessed as - Moderate severity according to our Security Policy.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the CMS implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9231

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: A timing side-channel which could potentially allow remote - recovery of the private key exists in the SM2 algorithm implementation on 64 bit - ARM platforms.

    -

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit - ARM platforms could allow recovering the private key by an attacker..

    -

    While remote key recovery over a network was not attempted by the reporter, - timing measurements revealed a timing signal which may allow such an attack.

    -

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so - this CVE is not relevant in most TLS contexts. However, given that it is - possible to add support for such certificates via a custom provider, coupled - with the fact that in such a custom provider context the private key may be - recoverable via remote timing measurements, we consider this to be a Moderate - severity issue.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as SM2 is not an approved algorithm.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9232

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application using the OpenSSL HTTP client API functions may - trigger an out-of-bounds read if the 'no_proxy' environment variable is set and - the host portion of the authority component of the HTTP URL is an IPv6 address.

    -

    Impact summary: An out-of-bounds read can trigger a crash which leads to - Denial of Service for an application.

    -

    The OpenSSL HTTP client API functions can be used directly by applications - but they are also used by the OCSP client functions and CMP (Certificate - Management Protocol) client implementation in OpenSSL. However the URLs used - by these implementations are unlikely to be controlled by an attacker.

    -

    In this vulnerable code the out of bounds read can only trigger a crash. - Furthermore the vulnerability requires an attacker-controlled URL to be - passed from an application to the OpenSSL function and the user has to have - a 'no_proxy' environment variable set. For the aforementioned reasons the - issue was assessed as Low severity.

    -

    The vulnerable code was introduced in the following patch releases: - 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the HTTP client implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.1.11/public.ecr.aws_docker_library_redis_7.2.11-alpine.html b/docs/snyk/v3.1.11/public.ecr.aws_docker_library_redis_7.2.11-alpine.html deleted file mode 100644 index ae08278a62..0000000000 --- a/docs/snyk/v3.1.11/public.ecr.aws_docker_library_redis_7.2.11-alpine.html +++ /dev/null @@ -1,754 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:33:49 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • public.ecr.aws/docker/library/redis:7.2.11-alpine/docker/library/redis (apk)
      • -
    • public.ecr.aws/docker/library/redis:7.2.11-alpine/tianon/gosu//usr/local/bin/gosu (gomodules)
      • -
    -
    - -
    -
    2 known vulnerabilities
    -
    10 vulnerable dependency paths
    -
    19 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and busybox/busybox@1.37.0-r13 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/ssl_client@1.37.0-r13 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and busybox/busybox@1.37.0-r13 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - busybox/busybox@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r13 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine - - busybox/ssl_client@1.37.0-r13 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.1.11/argocd-iac-install.html b/docs/snyk/v3.1.12/argocd-iac-install.html similarity index 99% rename from docs/snyk/v3.1.11/argocd-iac-install.html rename to docs/snyk/v3.1.12/argocd-iac-install.html index 04be90ad06..2018cc7ab6 100644 --- a/docs/snyk/v3.1.11/argocd-iac-install.html +++ b/docs/snyk/v3.1.12/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    January 18th 2026, 12:35:37 am (UTC+00:00)

    +

    February 22nd 2026, 12:38:53 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v3.1.11/argocd-iac-namespace-install.html b/docs/snyk/v3.1.12/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v3.1.11/argocd-iac-namespace-install.html rename to docs/snyk/v3.1.12/argocd-iac-namespace-install.html index b4e848f637..42f98796d7 100644 --- a/docs/snyk/v3.1.11/argocd-iac-namespace-install.html +++ b/docs/snyk/v3.1.12/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    January 18th 2026, 12:35:46 am (UTC+00:00)

    +

    February 22nd 2026, 12:39:03 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v3.1.12/argocd-test.html b/docs/snyk/v3.1.12/argocd-test.html new file mode 100644 index 0000000000..91b7b00beb --- /dev/null +++ b/docs/snyk/v3.1.12/argocd-test.html @@ -0,0 +1,3272 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:36:49 am (UTC+00:00)

    +
    +
    + Scanned the following paths: +
      +
    • /argo-cd/argoproj/argo-cd/v3/go.mod (gomodules)
      • +
    • /argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)
      • +
    • /argo-cd/ui/yarn.lock (yarn)
      • +
    +
    + +
    +
    22 known vulnerabilities
    +
    57 vulnerable dependency paths
    +
    2105 dependencies
    +
    +
    +
    +
    + +
    +
    +
    +

    Predictable Value Range from Previous Values

    +
    + +
    +
    + critical severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + form-data +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, superagent@8.1.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + form-data@4.0.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Predictable Value Range from Previous Values via the boundary value, which uses Math.random(). An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution.

    +

    Remediation

    +

    Upgrade form-data to version 2.5.4, 3.0.4, 4.0.4 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + qs +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, superagent@8.1.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + qs@6.11.0 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + formidable@2.1.2 + + qs@6.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    qs is a querystring parser that supports nesting and arrays, with a depth limit.

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can exhaust server memory and cause application unavailability by submitting a large number of bracket notation parameters - like a[]=1&a[]=2 - in a single HTTP request.

    +

    PoC

    + 
    
+        const qs = require('qs');
+        const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
+        const result = qs.parse(attack, { arrayLimit: 100 });
+        console.log(result.a.length);  // Output: 10000 (should be max 100)
+
    +

    Remediation

    +

    Upgrade qs to version 6.14.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + minimatch +
      • + +
    • Introduced through: + + argo-cd-ui@1.0.0 and minimatch@3.1.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + minimatch@3.1.2 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + @redocly/openapi-core@1.30.0 + + minimatch@5.1.6 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    minimatch is a minimal matching utility.

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the AST class, caused by catastrophic backtracking when an input string contains many * characters in a row, followed by an unmatched character.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    Upgrade minimatch to version 10.2.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and go.opentelemetry.io/otel/sdk/resource@1.36.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/sdk/resource@1.36.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/sdk/trace@1.36.0 + + go.opentelemetry.io/otel/sdk/resource@1.36.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@1.36.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig@1.36.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace@1.36.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform@1.36.0 + + go.opentelemetry.io/otel/sdk/resource@1.36.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@1.36.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig@1.36.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace@1.36.0 + + go.opentelemetry.io/otel/sdk/trace@1.36.0 + + go.opentelemetry.io/otel/sdk/resource@1.36.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Uncaught Exception

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to Uncaught Exception in the numeric entity processing when parsing XML containing out-of-range entity code points. An attacker can cause the application to crash by submitting specially crafted XML input that triggers an uncaught exception.

    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.4 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    XML Entity Expansion

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to XML Entity Expansion in replaceEntitiesValue() when handling excessive DOCTYPE input. An attacker can cause excessive resource consumption and make the application unresponsive by submitting malicious XML input with large text entities referenced multiple times. This is a bypass for Billion Laughs protection in DocTypeReader.js, which prevents excessive referencing within and entity, but doesn't prevent repeated expansion of large entities.

    +

    Workaround

    +

    This vulnerability can be mitigated by disabling DOCTYPE parsing using the processEntities: false option.

    +

    PoC

    + 
    const { XMLParser } = require('fast-xml-parser');
+        
+        const entity = 'A'.repeat(1000);
+        const refs = '&big;'.repeat(100);
+        const xml = `<!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root>`;
+        
+        console.time('parse');
+        new XMLParser().parse(xml);
+        console.timeEnd('parse');
+
    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.6 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Incorrect Regular Expression

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to Incorrect Regular Expression in the entity parsing RegEx in DOCTYPE declarations. An attacker can inject arbitrary values that override built-in XML entities by crafting entity names containing ., which is interpreted as a regex wildcard, allowing malicious content to be substituted in place of standard entities when the XML is parsed and subsequently rendered or used in sensitive contexts.

    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + qs +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, superagent@8.1.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + qs@6.11.0 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + formidable@2.1.2 + + qs@6.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    qs is a querystring parser that supports nesting and arrays, with a depth limit.

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseArrayValue function when the comma option is in use. An attacker can exhaust system memory by submitting a parameter containing a large number of comma-separated values, resulting in the allocation of excessively large arrays.

    +

    Note: + This is only exploitable if the comma option is explicitly set to true. arrayLimit is properly enforced for index and bracket notation.

    +

    PoC

    + 
    const qs = require('qs');
+        
+        const payload = 'a=' + ','.repeat(25);  // 26 elements after split (bypasses arrayLimit: 5)
+        const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
+        
+        try {
+          const result = qs.parse(payload, options);
+          console.log(result.a.length);  // Outputs: 26 (bypass successful)
+        } catch (e) {
+          console.log('Limit enforced:', e.message);  // Not thrown
+        }
+
    +

    Remediation

    +

    Upgrade qs to version 6.14.2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Prototype Pollution

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + min-document +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, react-hot-loader@3.1.3 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + react-hot-loader@3.1.3 + + global@4.4.0 + + min-document@2.19.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Prototype Pollution via the removeAttributeNS function. An attacker can manipulate the prototype chain of JavaScript objects, potentially causing a denial-of-service attack by supplying malicious input that targets the __proto__ property during namespace attribute removal.

    +

    Notes:

    +

    This vulnerability is only exploitable if user input is passed without sanitization to the affected functions. The PoC has been validated as a theoretical vector, and a fixed version has been released.

    +

    Details

    +

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    +

    There are two main ways in which the pollution of prototypes occurs:

    +
      +

    • Unsafe Object recursive merge

      +
      • +

    • Property definition by path

      +
      • +
    +

    Unsafe Object recursive merge

    +

    The logic of a vulnerable recursive merge function follows the following high-level model:

    + 
    merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
    +
    + +

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    +

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    +

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    +

    Property definition by path

    +

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    +

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    +

    Types of attacks

    +

    There are a few methods by which Prototype Pollution can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    +

    Affected environments

    +

    The following environments are susceptible to a Prototype Pollution attack:

    +
      +

    • Application server

      +
      • +

    • Web server

      +
      • +

    • Web browser

      +
      • +
    +

    How to prevent

    +
      +

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      +
      2. +

    2. Require schema validation of JSON input.

      +
      3. +

    3. Avoid using unsafe recursive merge functions.

      +
      4. +

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      +
      5. +

    5. As a best practice use Map instead of Object.

      +
      6. +
    +

    For more information on this vulnerability type:

    +

    Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    +

    Remediation

    +

    Upgrade min-document to version 2.19.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Prototype Pollution

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + lodash-es +
      • + +
    • Introduced through: + + argo-cd-ui@1.0.0 and lodash-es@4.17.21 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + lodash-es@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash-es@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash-es@4.17.21 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties.

    +

    Details

    +

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    +

    There are two main ways in which the pollution of prototypes occurs:

    +
      +

    • Unsafe Object recursive merge

      +
      • +

    • Property definition by path

      +
      • +
    +

    Unsafe Object recursive merge

    +

    The logic of a vulnerable recursive merge function follows the following high-level model:

    + 
    merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
    +
    + +

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    +

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    +

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    +

    Property definition by path

    +

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    +

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    +

    Types of attacks

    +

    There are a few methods by which Prototype Pollution can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    +

    Affected environments

    +

    The following environments are susceptible to a Prototype Pollution attack:

    +
      +

    • Application server

      +
      • +

    • Web server

      +
      • +

    • Web browser

      +
      • +
    +

    How to prevent

    +
      +

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      +
      2. +

    2. Require schema validation of JSON input.

      +
      3. +

    3. Avoid using unsafe recursive merge functions.

      +
      4. +

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      +
      5. +

    5. As a best practice use Map instead of Object.

      +
      6. +
    +

    For more information on this vulnerability type:

    +

    Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    +

    Remediation

    +

    Upgrade lodash-es to version 4.17.23 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Prototype Pollution

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + lodash +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, dagre@0.8.5 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + dagre@0.8.5 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + dagre@0.8.5 + + graphlib@2.1.8 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + react-hot-loader@3.1.3 + + react-proxy@3.0.0-alpha.1 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash@4.17.21 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

    +

    Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties.

    +

    Details

    +

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    +

    There are two main ways in which the pollution of prototypes occurs:

    +
      +

    • Unsafe Object recursive merge

      +
      • +

    • Property definition by path

      +
      • +
    +

    Unsafe Object recursive merge

    +

    The logic of a vulnerable recursive merge function follows the following high-level model:

    + 
    merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
    +
    + +

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    +

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    +

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    +

    Property definition by path

    +

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    +

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    +

    Types of attacks

    +

    There are a few methods by which Prototype Pollution can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    +

    Affected environments

    +

    The following environments are susceptible to a Prototype Pollution attack:

    +
      +

    • Application server

      +
      • +

    • Web server

      +
      • +

    • Web browser

      +
      • +
    +

    How to prevent

    +
      +

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      +
      2. +

    2. Require schema validation of JSON input.

      +
      3. +

    3. Avoid using unsafe recursive merge functions.

      +
      4. +

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      +
      5. +

    5. As a best practice use Map instead of Object.

      +
      6. +
    +

    For more information on this vulnerability type:

    +

    Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    +

    Remediation

    +

    Upgrade lodash to version 4.17.23 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Prototype Pollution

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + js-yaml +
      • + +
    • Introduced through: + + argo-cd-ui@1.0.0 and js-yaml@4.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + js-yaml@4.1.0 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + @redocly/openapi-core@1.30.0 + + js-yaml@4.1.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    js-yaml is a human-friendly data serialization language.

    +

    Affected versions of this package are vulnerable to Prototype Pollution via the merge function. An attacker can alter object prototypes by supplying specially crafted YAML documents containing __proto__ properties. This can lead to unexpected behavior or security issues in applications that process untrusted YAML input.

    +

    Workaround

    +

    This vulnerability can be mitigated by running the server with node --disable-proto=delete or by using Deno, which has pollution protection enabled by default.

    +

    Details

    +

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    +

    There are two main ways in which the pollution of prototypes occurs:

    +
      +

    • Unsafe Object recursive merge

      +
      • +

    • Property definition by path

      +
      • +
    +

    Unsafe Object recursive merge

    +

    The logic of a vulnerable recursive merge function follows the following high-level model:

    + 
    merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
    +
    + +

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    +

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    +

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    +

    Property definition by path

    +

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    +

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    +

    Types of attacks

    +

    There are a few methods by which Prototype Pollution can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    +

    Affected environments

    +

    The following environments are susceptible to a Prototype Pollution attack:

    +
      +

    • Application server

      +
      • +

    • Web server

      +
      • +

    • Web browser

      +
      • +
    +

    How to prevent

    +
      +

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      +
      2. +

    2. Require schema validation of JSON input.

      +
      3. +

    3. Avoid using unsafe recursive merge functions.

      +
      4. +

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      +
      5. +

    5. As a best practice use Map instead of Object.

      +
      6. +
    +

    For more information on this vulnerability type:

    +

    Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    +

    Remediation

    +

    Upgrade js-yaml to version 3.14.2, 4.1.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff/v3 +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/r3labs/diff/v3@3.0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/r3labs/diff/v3@3.0.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-version +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, code.gitea.io/sdk/gitea@0.21.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + code.gitea.io/sdk/gitea@0.21.0 + + github.com/hashicorp/go-version@1.7.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@0.130.1 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, github.com/hashicorp/go-retryablehttp@0.7.7 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@0.130.1 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@0.130.1 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#87bf0576a872 + + github.com/argoproj/notifications-engine/pkg/services@#87bf0576a872 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.7 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/gosimple/slug@1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/gosimple/slug@1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Validation of Integrity Check Value

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-git/go-git/v5/storage/filesystem +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, github.com/go-git/go-git/v5@5.14.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5/plumbing/transport/client@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/file@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/server@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/client@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/file@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/server@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.

    +

    Workaround

    +

    This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.

    +

    Remediation

    +

    Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + foundation-sites +
      • + +
    • Introduced through: + + argo-cd-ui@1.0.0 and foundation-sites@6.8.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + foundation-sites@6.8.1 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + foundation-sites@6.8.1 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    foundation-sites is a responsive front-end framework

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient backtracking in the regular expressions used in URL forms.

    +

    PoC

    + 
    https://www.''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    There is no fixed version for foundation-sites.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + diff +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, unidiff@1.0.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + unidiff@1.0.2 + + diff@2.2.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    diff is a javascript text differencing implementation.

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the parsePatch() and applyPatch() functions if the user input passed without sanitisation. An attacker can cause the process to enter an infinite loop and exhaust system memory by providing a patch with filename headers containing \r, \u2028, or \u2029 characters or having control over patch's patch header for application generated patches.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    Upgrade diff to version 3.5.1, 4.0.4, 5.2.2, 8.0.3 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Insecure Randomness

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + formidable +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, superagent@8.1.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + formidable@2.1.2 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Insecure Randomness due to its use of the hexoid() function in the generation of fingerprint IDs.

    +

    Remediation

    +

    Upgrade formidable to version 2.1.3, 3.5.3 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + brace-expansion +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, minimatch@3.1.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + minimatch@3.1.2 + + brace-expansion@1.1.11 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + @redocly/openapi-core@1.30.0 + + minimatch@5.1.6 + + brace-expansion@2.0.1 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    brace-expansion is a Brace expansion as known from sh/bash

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the expand() function, which is prone to catastrophic backtracking on very long malicious inputs.

    +

    PoC

    + 
    import index from "./index.js";
+        
+        let str = "{a}" + ",".repeat(100000) + "\u0000";
+        
+        let startTime = performance.now();
+        
+        const result = index(str);
+        
+        let endTime = performance.now();
+        
+        let timeTaken = endTime - startTime;
+        
+        console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`);
+
    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    Upgrade brace-expansion to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.1.12/ghcr.io_dexidp_dex_v2.43.0.html b/docs/snyk/v3.1.12/ghcr.io_dexidp_dex_v2.43.0.html new file mode 100644 index 0000000000..95799cd4fd --- /dev/null +++ b/docs/snyk/v3.1.12/ghcr.io_dexidp_dex_v2.43.0.html @@ -0,0 +1,5010 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:36:56 am (UTC+00:00)

    +
    +
    + Scanned the following paths: +
      +
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex (apk)
      • +
    • ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
      • +
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
      • +
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/dex (gomodules)
      • +
    +
    + +
    +
    46 known vulnerabilities
    +
    141 vulnerable dependency paths
    +
    1131 dependencies
    +
    +
    +
    +
    + +
    +
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/oauth2/jws +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.24.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/oauth2/jws@v0.24.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.

    +

    Remediation

    +

    Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Server-side Request Forgery (SSRF)

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/http/httpproxy +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.32.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/net/http/httpproxy@v0.32.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function

    +

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.

    +

    Remediation

    +

    Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Handling of Unexpected Data Type

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh/agent +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh/agent@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh/agent to version 0.43.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and go.opentelemetry.io/otel/sdk/resource@v1.33.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + go.opentelemetry.io/otel/sdk/resource@v1.33.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Asymmetric Resource Consumption (Amplification)

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/golang-jwt/jwt/v5 +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/golang-jwt/jwt/v5@v5.2.1 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the parse.ParseUnverified function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the Authorization header.

    +

    Remediation

    +

    Upgrade github.com/golang-jwt/jwt/v5 to version 5.2.2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Algorithmic Complexity

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Infinite loop

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Out-of-bounds Read

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh/agent +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh/agent@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Out-of-bounds Read via the SSH Agent servers. An attacker can cause a panic and disrupt service availability by sending a specially crafted, malformed message that triggers an out-of-bounds read.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh/agent to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the SSH servers. An attacker can exhaust system memory resources by sending GSSAPI authentication requests with an excessive number of mechanisms specified.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/vault/api +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/vault/api@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/serf/coordinate +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/serf/coordinate@v0.10.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/serf/coordinate@v0.10.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/hcl/v2 +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and github.com/hashicorp/hcl/v2@v2.13.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/ext/customdecode@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/ext/tryfunc@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/gohcl@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclparse@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclsyntax@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclwrite@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/json@v2.13.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/hcl +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/hcl@v1.0.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/hcl@v1.0.0 + + + +
      • +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/hcl/hcl/token@v1.0.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/golang-lru/simplelru +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/golang-lru/simplelru@v1.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/golang-lru/simplelru@v1.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-uuid +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-uuid@v1.0.3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-uuid@v1.0.3 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-sockaddr +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-sockaddr@v1.0.7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-sockaddr@v1.0.7 + + + +
      • +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-sockaddr/template@v1.0.7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/strutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/parseutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/awsutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-rootcerts +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-rootcerts@v1.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-rootcerts@v1.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-retryablehttp@v0.7.7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-retryablehttp@v0.7.7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-multierror +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-multierror@v1.1.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-immutable-radix +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-immutable-radix@v1.3.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-immutable-radix@v1.3.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-cleanhttp@v0.5.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-cleanhttp@v0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/errwrap +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/errwrap@v1.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/errwrap@v1.1.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/gosimple/slug@v1.14.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/gosimple/slug@v1.14.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/go-sql-driver/mysql +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and github.com/go-sql-driver/mysql@v1.9.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/go-sql-driver/mysql@v1.9.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-jose/go-jose/v4 +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/go-jose/go-jose/v4@v4.0.2 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of strings.Split to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of . characters.

    +

    Workaround

    +

    This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of . characters.

    +

    Remediation

    +

    Upgrade github.com/go-jose/go-jose/v4 to version 4.0.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Initialization

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + filippo.io/edwards25519 +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and filippo.io/edwards25519@v1.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + filippo.io/edwards25519@v1.1.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Initialization via the MultiScalarMult function when the receiver is not properly initialized. An attacker can cause invalid results or undefined behavior by invoking this function on an uninitialized or non-identity receiver.

    +

    Remediation

    +

    Upgrade filippo.io/edwards25519 to version 1.1.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9230

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application trying to decrypt CMS messages encrypted using + password based encryption can trigger an out-of-bounds read and write.

    +

    Impact summary: This out-of-bounds read may trigger a crash which leads to + Denial of Service for an application. The out-of-bounds write can cause + a memory corruption which can have various consequences including + a Denial of Service or Execution of attacker-supplied code.

    +

    Although the consequences of a successful exploit of this vulnerability + could be severe, the probability that the attacker would be able to + perform it is low. Besides, password based (PWRI) encryption support in CMS + messages is very rarely used. For that reason the issue was assessed as + Moderate severity according to our Security Policy.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9231

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A timing side-channel which could potentially allow remote + recovery of the private key exists in the SM2 algorithm implementation on 64 bit + ARM platforms.

    +

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit + ARM platforms could allow recovering the private key by an attacker..

    +

    While remote key recovery over a network was not attempted by the reporter, + timing measurements revealed a timing signal which may allow such an attack.

    +

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so + this CVE is not relevant in most TLS contexts. However, given that it is + possible to add support for such certificates via a custom provider, coupled + with the fact that in such a custom provider context the private key may be + recoverable via remote timing measurements, we consider this to be a Moderate + severity issue.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as SM2 is not an approved algorithm.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9232

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application using the OpenSSL HTTP client API functions may + trigger an out-of-bounds read if the 'no_proxy' environment variable is set and + the host portion of the authority component of the HTTP URL is an IPv6 address.

    +

    Impact summary: An out-of-bounds read can trigger a crash which leads to + Denial of Service for an application.

    +

    The OpenSSL HTTP client API functions can be used directly by applications + but they are also used by the OCSP client functions and CMP (Certificate + Management Protocol) client implementation in OpenSSL. However the URLs used + by these implementations are unlikely to be controlled by an attacker.

    +

    In this vulnerable code the out of bounds read can only trigger a crash. + Furthermore the vulnerability requires an attacker-controlled URL to be + passed from an application to the OpenSSL function and the user has to have + a 'no_proxy' environment variable set. For the aforementioned reasons the + issue was assessed as Low severity.

    +

    The vulnerable code was introduced in the following patch releases: + 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the HTTP client implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15468

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

    +

    Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

    +

    Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

    +

    As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

    +

    The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-66199

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

    +

    Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

    +

    In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

    +

    This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

    +

    Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Synchronous Access of Remote Resource without Timeout

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/hashicorp/vault/api +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/vault/api@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the rekey and recovery key operations. An attacker can disrupt service availability by triggering uncontrolled cancellation actions during these processes, which can lead to denial of service.

    +

    Remediation

    +

    Upgrade github.com/hashicorp/vault/api to version 1.20.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-58251

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-46394

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.1.12/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html b/docs/snyk/v3.1.12/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html new file mode 100644 index 0000000000..ec64a4a582 --- /dev/null +++ b/docs/snyk/v3.1.12/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html @@ -0,0 +1,3286 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:37:01 am (UTC+00:00)

    +
    +
    + Scanned the following path: +
      +
    • public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy (apk)
      • +
    +
    + +
    +
    15 known vulnerabilities
    +
    142 vulnerable dependency paths
    +
    19 dependencies
    +
    +
    +
    +
    +
    + + + + + + + +
    Project docker-image|public.ecr.aws/docker/library/haproxy
    Path public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy
    Package Manager apk
    +
    +
    +
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9230

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application trying to decrypt CMS messages encrypted using + password based encryption can trigger an out-of-bounds read and write.

    +

    Impact summary: This out-of-bounds read may trigger a crash which leads to + Denial of Service for an application. The out-of-bounds write can cause + a memory corruption which can have various consequences including + a Denial of Service or Execution of attacker-supplied code.

    +

    Although the consequences of a successful exploit of this vulnerability + could be severe, the probability that the attacker would be able to + perform it is low. Besides, password based (PWRI) encryption support in CMS + messages is very rarely used. For that reason the issue was assessed as + Moderate severity according to our Security Policy.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9231

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A timing side-channel which could potentially allow remote + recovery of the private key exists in the SM2 algorithm implementation on 64 bit + ARM platforms.

    +

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit + ARM platforms could allow recovering the private key by an attacker..

    +

    While remote key recovery over a network was not attempted by the reporter, + timing measurements revealed a timing signal which may allow such an attack.

    +

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so + this CVE is not relevant in most TLS contexts. However, given that it is + possible to add support for such certificates via a custom provider, coupled + with the fact that in such a custom provider context the private key may be + recoverable via remote timing measurements, we consider this to be a Moderate + severity issue.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as SM2 is not an approved algorithm.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9232

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application using the OpenSSL HTTP client API functions may + trigger an out-of-bounds read if the 'no_proxy' environment variable is set and + the host portion of the authority component of the HTTP URL is an IPv6 address.

    +

    Impact summary: An out-of-bounds read can trigger a crash which leads to + Denial of Service for an application.

    +

    The OpenSSL HTTP client API functions can be used directly by applications + but they are also used by the OCSP client functions and CMP (Certificate + Management Protocol) client implementation in OpenSSL. However the URLs used + by these implementations are unlikely to be controlled by an attacker.

    +

    In this vulnerable code the out of bounds read can only trigger a crash. + Furthermore the vulnerability requires an attacker-controlled URL to be + passed from an application to the OpenSSL function and the user has to have + a 'no_proxy' environment variable set. For the aforementioned reasons the + issue was assessed as Low severity.

    +

    The vulnerable code was introduced in the following patch releases: + 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the HTTP client implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15468

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

    +

    Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

    +

    Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

    +

    As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

    +

    The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-66199

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

    +

    Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

    +

    In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

    +

    This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

    +

    Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-58251

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-46394

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.1.12/public.ecr.aws_docker_library_redis_7.2.11-alpine.html b/docs/snyk/v3.1.12/public.ecr.aws_docker_library_redis_7.2.11-alpine.html new file mode 100644 index 0000000000..b7778c698c --- /dev/null +++ b/docs/snyk/v3.1.12/public.ecr.aws_docker_library_redis_7.2.11-alpine.html @@ -0,0 +1,2571 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:37:08 am (UTC+00:00)

    +
    +
    + Scanned the following paths: +
      +
    • public.ecr.aws/docker/library/redis:7.2.11-alpine/docker/library/redis (apk)
      • +
    • public.ecr.aws/docker/library/redis:7.2.11-alpine/tianon/gosu//usr/local/bin/gosu (gomodules)
      • +
    +
    + +
    +
    12 known vulnerabilities
    +
    100 vulnerable dependency paths
    +
    19 dependencies
    +
    +
    +
    +
    + +
    +
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and openssl/libcrypto3@3.3.5-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and openssl/libcrypto3@3.3.5-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and openssl/libcrypto3@3.3.5-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15468

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and openssl/libcrypto3@3.3.5-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

    +

    Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

    +

    Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

    +

    As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

    +

    The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and openssl/libcrypto3@3.3.5-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-66199

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and openssl/libcrypto3@3.3.5-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

    +

    Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

    +

    In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

    +

    This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

    +

    Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and openssl/libcrypto3@3.3.5-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and openssl/libcrypto3@3.3.5-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and openssl/libcrypto3@3.3.5-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and openssl/libcrypto3@3.3.5-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + openssl/libcrypto3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + .redis-rundeps@20251008.225801 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + openssl/libssl3@3.3.5-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-58251

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and busybox/busybox@1.37.0-r13 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/busybox@1.37.0-r13 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r13 + + busybox/busybox@1.37.0-r13 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/busybox-binsh@1.37.0-r13 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r13 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-46394

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine and busybox/busybox@1.37.0-r13 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/busybox@1.37.0-r13 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r13 + + busybox/busybox@1.37.0-r13 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/busybox-binsh@1.37.0-r13 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r13 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@7.2.11-alpine + + busybox/ssl_client@1.37.0-r13 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.1.12/quay.io_argoproj_argocd_v3.1.12.html b/docs/snyk/v3.1.12/quay.io_argoproj_argocd_v3.1.12.html new file mode 100644 index 0000000000..a90d9c5243 --- /dev/null +++ b/docs/snyk/v3.1.12/quay.io_argoproj_argocd_v3.1.12.html @@ -0,0 +1,5786 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:37:30 am (UTC+00:00)

    +
    +
    + Scanned the following paths: +
      +
    • quay.io/argoproj/argocd:v3.1.12/argoproj/argocd/Dockerfile (deb)
      • +
    • quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
      • +
    • quay.io/argoproj/argocd:v3.1.12//usr/local/bin/kustomize (gomodules)
      • +
    • quay.io/argoproj/argocd:v3.1.12/helm/v3//usr/local/bin/helm (gomodules)
      • +
    • quay.io/argoproj/argocd:v3.1.12/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
      • +
    +
    + +
    +
    45 known vulnerabilities
    +
    179 vulnerable dependency paths
    +
    2320 dependencies
    +
    +
    +
    +
    + +
    +
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and go.opentelemetry.io/otel/sdk/resource@v1.36.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + go.opentelemetry.io/otel/sdk/resource@v1.36.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Directory Traversal

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + tar +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and tar@1.35+dfsg-3build1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + tar@1.35+dfsg-3build1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + dash@0.5.12-6ubuntu5 + + dpkg@1.22.6ubuntu6.5 + + tar@1.35+dfsg-3build1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 tar.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Directory Traversal

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + pam/libpam0g +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and pam/libpam0g@1.5.3-5ubuntu5.5 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + pam/libpam0g@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + shadow/login@1:4.13+dfsg1-4ubuntu3.2 + + pam/libpam0g@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + util-linux@2.39.3-9ubuntu6.4 + + pam/libpam0g@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + adduser@3.137ubuntu1 + + shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + + pam/libpam0g@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + adduser@3.137ubuntu1 + + shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + + pam/libpam-modules@1.5.3-5ubuntu5.5 + + pam/libpam0g@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + adduser@3.137ubuntu1 + + shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + + pam/libpam-modules@1.5.3-5ubuntu5.5 + + pam/libpam-modules-bin@1.5.3-5ubuntu5.5 + + pam/libpam0g@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + pam/libpam-modules-bin@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + adduser@3.137ubuntu1 + + shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + + pam/libpam-modules@1.5.3-5ubuntu5.5 + + pam/libpam-modules-bin@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + pam/libpam-modules@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + pam/libpam-runtime@1.5.3-5ubuntu5.5 + + pam/libpam-modules@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + shadow/login@1:4.13+dfsg1-4ubuntu3.2 + + pam/libpam-modules@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + adduser@3.137ubuntu1 + + shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + + pam/libpam-modules@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + pam/libpam-runtime@1.5.3-5ubuntu5.5 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + shadow/login@1:4.13+dfsg1-4ubuntu3.2 + + pam/libpam-runtime@1.5.3-5ubuntu5.5 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 pam.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssl/libssl3t64 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssl/libssl3t64@3.0.13-0ubuntu3.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + coreutils@9.4-3ubuntu6.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + libfido2/libfido2-1@1.14.0-1build3 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + libssh/libssh-4@0.10.6-2ubuntu0.2 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 + + krb5/libkrb5-3@1.20.1-6ubuntu2.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 + + cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Algorithmic Complexity

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/helm/v3 /usr/local/bin/helm +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and golang.org/x/net/html@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + golang.org/x/net/html@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Infinite loop

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/helm/v3 /usr/local/bin/helm +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and golang.org/x/net/html@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + golang.org/x/net/html@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Verification of Cryptographic Signature

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + gnupg2/gpgv +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and gnupg2/gpgv@2.4.4-2ubuntu17.4 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpgv@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + gnupg2/gpgv@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/dirmngr@2.4.4-2ubuntu17.4 + + gnupg2/gpgconf@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg-agent@2.4.4-2ubuntu17.4 + + gnupg2/gpgconf@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg@2.4.4-2ubuntu17.4 + + gnupg2/gpgconf@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/dirmngr@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg-agent@2.4.4-2ubuntu17.4 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 gnupg2.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-0861

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + glibc/libc-bin +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and glibc/libc-bin@2.39-0ubuntu8.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + glibc/libc-bin@2.39-0ubuntu8.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + glibc/libc6@2.39-0ubuntu8.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Passing too large an alignment to the memalign suite of functions (memalign, posix_memalign, aligned_alloc) in the GNU C Library version 2.30 to 2.42 may result in an integer overflow, which could consequently result in a heap corruption.

    +

    Note that the attacker must have control over both, the size as well as the alignment arguments of the memalign function to be able to exploit this. The size parameter must be close enough to PTRDIFF_MAX so as to overflow size_t along with the large alignment argument. This limits the malicious inputs for the alignment for memalign to the range [1<<62+ 1, 1<<63] and exactly 1<<63 for posix_memalign and aligned_alloc.

    +

    Typically the alignment argument passed to such functions is a known constrained quantity (e.g. page size, block size, struct sizes) and is not attacker controlled, because of which this may not be easily exploitable in practice. An application bug could potentially result in the input alignment being too large, e.g. due to a different buffer overflow or integer overflow in the application or its dependent libraries, but that is again an uncommon usage pattern given typical sources of alignments.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 glibc to version 2.39-0ubuntu8.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-0915

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + glibc/libc-bin +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and glibc/libc-bin@2.39-0ubuntu8.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + glibc/libc-bin@2.39-0ubuntu8.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + glibc/libc6@2.39-0ubuntu8.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Calling getnetbyaddr or getnetbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend for networks and queries for a zero-valued network in the GNU C Library version 2.0 to version 2.42 can leak stack contents to the configured DNS resolver.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 glibc to version 2.39-0ubuntu8.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15281

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + glibc/libc-bin +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and glibc/libc-bin@2.39-0ubuntu8.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + glibc/libc-bin@2.39-0ubuntu8.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + glibc/libc6@2.39-0ubuntu8.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 glibc to version 2.39-0ubuntu8.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff/v3 +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/r3labs/diff/v3@v3.0.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/r3labs/diff/v3@v3.0.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-version +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-version@v1.7.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-version@v1.7.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-retryablehttp@v0.7.7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/helm/v3 /usr/local/bin/helm +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-multierror +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-cleanhttp@v0.5.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-cleanhttp@v0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/gosimple/slug@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/gosimple/slug@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Validation of Integrity Check Value

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-git/go-git/v5/storage/filesystem +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/go-git/go-git/v5/storage/filesystem@v5.14.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/go-git/go-git/v5/storage/filesystem@v5.14.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.

    +

    Workaround

    +

    This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.

    +

    Remediation

    +

    Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Encoding or Escaping of Output

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + git/git-man +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + git/git-man@1:2.43.0-1ubuntu7.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git-lfs@3.4.1-1ubuntu0.3 + + git@1:2.43.0-1ubuntu7.3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 git.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Link Following

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + git-lfs +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and git-lfs@3.4.1-1ubuntu0.3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git-lfs@3.4.1-1ubuntu0.3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream git-lfs package and not the git-lfs package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 git-lfs to version 3.4.1-1ubuntu0.3+esm2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Arbitrary Code Injection

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + git-lfs +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and git-lfs@3.4.1-1ubuntu0.3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git-lfs@3.4.1-1ubuntu0.3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream git-lfs package and not the git-lfs package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 git-lfs to version 3.4.1-1ubuntu0.3+esm2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Algorithmic Complexity

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + expat/libexpat1 +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + expat/libexpat1@2.6.1-2ubuntu0.3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 expat.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-56433

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + shadow/passwd +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + adduser@3.137ubuntu1 + + shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + shadow/login@1:4.13+dfsg1-4ubuntu3.2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 shadow.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Release of Invalid Pointer or Reference

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + patch +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and patch@2.7.6-7build3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + patch@2.7.6-7build3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Double Free

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + patch +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and patch@2.7.6-7build3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + patch@2.7.6-7build3 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 patch.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssl/libssl3t64 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssl/libssl3t64@3.0.13-0ubuntu3.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + coreutils@9.4-3ubuntu6.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + libfido2/libfido2-1@1.14.0-1build3 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + libssh/libssh-4@0.10.6-2ubuntu0.2 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 + + krb5/libkrb5-3@1.20.1-6ubuntu2.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 + + cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssl/libssl3t64 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssl/libssl3t64@3.0.13-0ubuntu3.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + coreutils@9.4-3ubuntu6.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + libfido2/libfido2-1@1.14.0-1build3 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + libssh/libssh-4@0.10.6-2ubuntu0.2 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 + + krb5/libkrb5-3@1.20.1-6ubuntu2.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 + + cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssl/libssl3t64 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssl/libssl3t64@3.0.13-0ubuntu3.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + coreutils@9.4-3ubuntu6.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + libfido2/libfido2-1@1.14.0-1build3 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + libssh/libssh-4@0.10.6-2ubuntu0.2 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 + + krb5/libkrb5-3@1.20.1-6ubuntu2.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 + + cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssl/libssl3t64 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssl/libssl3t64@3.0.13-0ubuntu3.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + coreutils@9.4-3ubuntu6.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + libfido2/libfido2-1@1.14.0-1build3 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + libssh/libssh-4@0.10.6-2ubuntu0.2 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 + + krb5/libkrb5-3@1.20.1-6ubuntu2.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 + + cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssl/libssl3t64 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssl/libssl3t64@3.0.13-0ubuntu3.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + coreutils@9.4-3ubuntu6.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + libfido2/libfido2-1@1.14.0-1build3 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + libssh/libssh-4@0.10.6-2ubuntu0.2 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 + + krb5/libkrb5-3@1.20.1-6ubuntu2.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 + + cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssl/libssl3t64 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssl/libssl3t64@3.0.13-0ubuntu3.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + coreutils@9.4-3ubuntu6.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + libfido2/libfido2-1@1.14.0-1build3 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + libssh/libssh-4@0.10.6-2ubuntu0.2 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 + + krb5/libkrb5-3@1.20.1-6ubuntu2.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 + + cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssl/libssl3t64 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssl/libssl3t64@3.0.13-0ubuntu3.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + coreutils@9.4-3ubuntu6.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + libfido2/libfido2-1@1.14.0-1build3 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + libssh/libssh-4@0.10.6-2ubuntu0.2 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 + + krb5/libkrb5-3@1.20.1-6ubuntu2.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 + + cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Ubuntu:24.04 openssl to version 3.0.13-0ubuntu3.7 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-41996

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssl/libssl3t64 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssl/libssl3t64@3.0.13-0ubuntu3.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + coreutils@9.4-3ubuntu6.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + libfido2/libfido2-1@1.14.0-1build3 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + libssh/libssh-4@0.10.6-2ubuntu0.2 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 + + krb5/libkrb5-3@1.20.1-6ubuntu2.6 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 + + cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 + + openssl/libssl3t64@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + ca-certificates@20240203 + + openssl@3.0.13-0ubuntu3.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 openssl.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Failure to Sanitize Special Element

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssh/openssh-client +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssh/openssh-client@1:9.6p1-3ubuntu13.14 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 openssh.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Neutralization of Null Byte or NUL Character

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + openssh/openssh-client +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and openssh/openssh-client@1:9.6p1-3ubuntu13.14 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + openssh/openssh-client@1:9.6p1-3ubuntu13.14 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 openssh.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Information Exposure

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + libgcrypt20 +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and libgcrypt20@1.10.3-2build1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + libgcrypt20@1.10.3-2build1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/dirmngr@2.4.4-2ubuntu17.4 + + libgcrypt20@1.10.3-2build1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg@2.4.4-2ubuntu17.4 + + libgcrypt20@1.10.3-2build1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg-agent@2.4.4-2ubuntu17.4 + + libgcrypt20@1.10.3-2build1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + apt/libapt-pkg6.0t64@2.8.3 + + libgcrypt20@1.10.3-2build1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + gnupg2/gpgv@2.4.4-2ubuntu17.4 + + libgcrypt20@1.10.3-2build1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg@2.4.4-2ubuntu17.4 + + gnupg2/gpgconf@2.4.4-2ubuntu17.4 + + libgcrypt20@1.10.3-2build1 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + adduser@3.137ubuntu1 + + shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + + pam/libpam-modules@1.5.3-5ubuntu5.5 + + systemd/libsystemd0@255.4-1ubuntu8.12 + + libgcrypt20@1.10.3-2build1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 libgcrypt20.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Out-of-bounds Write

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + gnupg2/gpgv +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and gnupg2/gpgv@2.4.4-2ubuntu17.4 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpgv@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + apt@2.8.3 + + gnupg2/gpgv@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/dirmngr@2.4.4-2ubuntu17.4 + + gnupg2/gpgconf@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg-agent@2.4.4-2ubuntu17.4 + + gnupg2/gpgconf@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg@2.4.4-2ubuntu17.4 + + gnupg2/gpgconf@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/dirmngr@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg@2.4.4-2ubuntu17.4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + gnupg2/gpg-agent@2.4.4-2ubuntu17.4 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 gnupg2.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + glibc/libc-bin +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and glibc/libc-bin@2.39-0ubuntu8.6 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + glibc/libc-bin@2.39-0ubuntu8.6 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + glibc/libc6@2.39-0ubuntu8.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 glibc.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Out-of-bounds Read

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + curl/libcurl3t64-gnutls +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +
      +
    1. A cookie is set using the secure keyword for https://target
      2. +
    2. curl is redirected to or otherwise made to speak with http://target (same + hostname, but using clear text HTTP) using the same cookie set
      3. +
    3. The same cookie name is set - but with just a slash as path (path=\&#34;/\&#34;,). + Since this site is not secure, the cookie should just be ignored.
      4. +
    4. A bug in the path comparison logic makes curl read outside a heap buffer + boundary
      5. +
    +

    The bug either causes a crash or it potentially makes the comparison come to + the wrong conclusion and lets the clear-text site override the contents of the + secure cookie, contrary to expectations and depending on the memory contents + immediately following the single-byte allocation that holds the path.

    +

    The presumed and correct behavior would be to plainly ignore the second set of + the cookie since it was already set as secure on a secure host so overriding + it on an insecure host should not be okay.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 curl.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-10148

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + curl/libcurl3t64-gnutls +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    curl's websocket code did not update the 32 bit mask pattern for each new + outgoing frame as the specification says. Instead it used a fixed mask that + persisted and was used throughout the entire connection.

    +

    A predictable mask pattern allows for a malicious server to induce traffic + between the two communicating parties that could be interpreted by an involved + proxy (configured or transparent) as genuine, real, HTTP traffic with content + and thereby poison its cache. That cached poisoned content could then be + served to all users of that proxy.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 curl.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15224

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + curl/libcurl3t64-gnutls +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    When doing SSH-based transfers using either SCP or SFTP, and asked to do + public key authentication, curl would wrongly still ask and authenticate using + a locally running SSH agent.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 curl.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15079

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + curl/libcurl3t64-gnutls +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    When doing SSH-based transfers using either SCP or SFTP, and setting the + known_hosts file, libcurl could still mistakenly accept connecting to hosts + not present in the specified file if they were added as recognized in the + libssh global known_hosts file.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 curl.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-14819

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + curl/libcurl3t64-gnutls +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    When doing TLS related transfers with reused easy or multi handles and + altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally + reuse a CA store cached in memory for which the partial chain option was + reversed. Contrary to the user's wishes and expectations. This could make + libcurl find and accept a trust chain that it otherwise would not.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 curl.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Open Redirect

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + curl/libcurl3t64-gnutls +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer + performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, + POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new + target host.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 curl.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-0167

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + curl/libcurl3t64-gnutls +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.1.12, git@1:2.43.0-1ubuntu7.3 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + git@1:2.43.0-1ubuntu7.3 + + curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    When asked to use a .netrc file for credentials and to follow HTTP + redirects, curl could leak the password used for the first host to the + followed-to host under certain circumstances.

    +

    This flaw only manifests itself if the netrc file has a default entry that + omits both login and password. A rare circumstance.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 curl.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Input Validation

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.1.12/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:24.04 +
      • +
    • + Vulnerable module: + + coreutils +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.1.12 and coreutils@9.4-3ubuntu6.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.1.12 + + coreutils@9.4-3ubuntu6.1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. + See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    +

    chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:24.04 coreutils.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.2.5/argocd-test.html b/docs/snyk/v3.2.5/argocd-test.html deleted file mode 100644 index a495539447..0000000000 --- a/docs/snyk/v3.2.5/argocd-test.html +++ /dev/null @@ -1,1346 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:31:03 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • /argo-cd/argoproj/argo-cd/v3/go.mod (gomodules)
      • -
    • /argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)
      • -
    • /argo-cd/ui/yarn.lock (yarn)
      • -
    -
    - -
    -
    6 known vulnerabilities
    -
    10 vulnerable dependency paths
    -
    2115 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - qs -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, superagent@8.1.2 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - qs@6.11.0 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - formidable@2.1.2 - - qs@6.11.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    qs is a querystring parser that supports nesting and arrays, with a depth limit.

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can exhaust server memory and cause application unavailability by submitting a large number of bracket notation parameters - like a[]=1&a[]=2 - in a single HTTP request.

    -

    PoC

    - 
    
-        const qs = require('qs');
-        const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
-        const result = qs.parse(attack, { arrayLimit: 100 });
-        console.log(result.a.length);  // Output: 10000 (should be max 100)
-
    -

    Remediation

    -

    Upgrade qs to version 6.14.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Prototype Pollution

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - min-document -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, react-hot-loader@3.1.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - react-hot-loader@3.1.3 - - global@4.4.0 - - min-document@2.19.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Prototype Pollution via the removeAttributeNS function. An attacker can manipulate the prototype chain of JavaScript objects, potentially causing a denial-of-service attack by supplying malicious input that targets the __proto__ property during namespace attribute removal.

    -

    Notes:

    -

    This vulnerability is only exploitable if user input is passed without sanitization to the affected functions. The PoC has been validated as a theoretical vector, and a fixed version has been released.

    -

    Details

    -

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    -

    There are two main ways in which the pollution of prototypes occurs:

    -
      -

    • Unsafe Object recursive merge

      -
      • -

    • Property definition by path

      -
      • -
    -

    Unsafe Object recursive merge

    -

    The logic of a vulnerable recursive merge function follows the following high-level model:

    - 
    merge (target, source)
-        
-          foreach property of source
-        
-            if property exists and is an object on both the target and the source
-        
-              merge(target[property], source[property])
-        
-            else
-        
-              target[property] = source[property]
-
    -
    - -

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    -

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    -

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    -

    Property definition by path

    -

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    -

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    -

    Types of attacks

    -

    There are a few methods by which Prototype Pollution can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    -

    Affected environments

    -

    The following environments are susceptible to a Prototype Pollution attack:

    -
      -

    • Application server

      -
      • -

    • Web server

      -
      • -

    • Web browser

      -
      • -
    -

    How to prevent

    -
      -

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      -
      2. -

    2. Require schema validation of JSON input.

      -
      3. -

    3. Avoid using unsafe recursive merge functions.

      -
      4. -

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      -
      5. -

    5. As a best practice use Map instead of Object.

      -
      6. -
    -

    For more information on this vulnerability type:

    -

    Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    -

    Remediation

    -

    Upgrade min-document to version 2.19.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Prototype Pollution

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - js-yaml -
      • - -
    • Introduced through: - - argo-cd-ui@1.0.0 and js-yaml@4.1.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - js-yaml@4.1.0 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.4.0 - - @redocly/openapi-core@1.30.0 - - js-yaml@4.1.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    js-yaml is a human-friendly data serialization language.

    -

    Affected versions of this package are vulnerable to Prototype Pollution via the merge function. An attacker can alter object prototypes by supplying specially crafted YAML documents containing __proto__ properties. This can lead to unexpected behavior or security issues in applications that process untrusted YAML input.

    -

    Workaround

    -

    This vulnerability can be mitigated by running the server with node --disable-proto=delete or by using Deno, which has pollution protection enabled by default.

    -

    Details

    -

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    -

    There are two main ways in which the pollution of prototypes occurs:

    -
      -

    • Unsafe Object recursive merge

      -
      • -

    • Property definition by path

      -
      • -
    -

    Unsafe Object recursive merge

    -

    The logic of a vulnerable recursive merge function follows the following high-level model:

    - 
    merge (target, source)
-        
-          foreach property of source
-        
-            if property exists and is an object on both the target and the source
-        
-              merge(target[property], source[property])
-        
-            else
-        
-              target[property] = source[property]
-
    -
    - -

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    -

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    -

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    -

    Property definition by path

    -

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    -

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    -

    Types of attacks

    -

    There are a few methods by which Prototype Pollution can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    -

    Affected environments

    -

    The following environments are susceptible to a Prototype Pollution attack:

    -
      -

    • Application server

      -
      • -

    • Web server

      -
      • -

    • Web browser

      -
      • -
    -

    How to prevent

    -
      -

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      -
      2. -

    2. Require schema validation of JSON input.

      -
      3. -

    3. Avoid using unsafe recursive merge functions.

      -
      4. -

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      -
      5. -

    5. As a best practice use Map instead of Object.

      -
      6. -
    -

    For more information on this vulnerability type:

    -

    Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    -

    Remediation

    -

    Upgrade js-yaml to version 3.14.2, 4.1.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Regular Expression Denial of Service (ReDoS)

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - foundation-sites -
      • - -
    • Introduced through: - - argo-cd-ui@1.0.0 and foundation-sites@6.8.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - foundation-sites@6.8.1 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - foundation-sites@6.8.1 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    foundation-sites is a responsive front-end framework

    -

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient backtracking in the regular expressions used in URL forms.

    -

    PoC

    - 
    https://www.''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    -

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    -

    Let’s take the following regular expression as an example:

    - 
    regex = /A(B|C+)+D/
-
    -

    This regular expression accomplishes the following:

    -
      -
    • A The string must start with the letter 'A'
      • -
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • -
    • D Finally, we ensure this section of the string ends with a 'D'
      • -
    -

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    -

    It most cases, it doesn't take very long for a regex engine to find a match:

    - 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
    -

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    -

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    -

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    -
      -
    1. CCC
      2. -
    2. CC+C
      3. -
    3. C+CC
      4. -
    4. C+C+C.
      5. -
    -

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    -

    From there, the number of steps the engine must use to validate a string just continues to grow.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    -

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    -

    Remediation

    -

    There is no fixed version for foundation-sites.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Insecure Randomness

    -
    - -
    -
    - low severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - formidable -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, superagent@8.1.2 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - formidable@2.1.2 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Insecure Randomness due to its use of the hexoid() function in the generation of fingerprint IDs.

    -

    Remediation

    -

    Upgrade formidable to version 2.1.3, 3.5.3 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Regular Expression Denial of Service (ReDoS)

    -
    - -
    -
    - low severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - brace-expansion -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, minimatch@3.1.2 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - minimatch@3.1.2 - - brace-expansion@1.1.11 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.4.0 - - @redocly/openapi-core@1.30.0 - - minimatch@5.1.6 - - brace-expansion@2.0.1 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    brace-expansion is a Brace expansion as known from sh/bash

    -

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the expand() function, which is prone to catastrophic backtracking on very long malicious inputs.

    -

    PoC

    - 
    import index from "./index.js";
-        
-        let str = "{a}" + ",".repeat(100000) + "\u0000";
-        
-        let startTime = performance.now();
-        
-        const result = index(str);
-        
-        let endTime = performance.now();
-        
-        let timeTaken = endTime - startTime;
-        
-        console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`);
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    -

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    -

    Let’s take the following regular expression as an example:

    - 
    regex = /A(B|C+)+D/
-
    -

    This regular expression accomplishes the following:

    -
      -
    • A The string must start with the letter 'A'
      • -
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • -
    • D Finally, we ensure this section of the string ends with a 'D'
      • -
    -

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    -

    It most cases, it doesn't take very long for a regex engine to find a match:

    - 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
    -

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    -

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    -

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    -
      -
    1. CCC
      2. -
    2. CC+C
      3. -
    3. C+CC
      4. -
    4. C+C+C.
      5. -
    -

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    -

    From there, the number of steps the engine must use to validate a string just continues to grow.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    -

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    -

    Remediation

    -

    Upgrade brace-expansion to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.2.5/ghcr.io_dexidp_dex_v2.43.0.html b/docs/snyk/v3.2.5/ghcr.io_dexidp_dex_v2.43.0.html deleted file mode 100644 index 256251e22d..0000000000 --- a/docs/snyk/v3.2.5/ghcr.io_dexidp_dex_v2.43.0.html +++ /dev/null @@ -1,1993 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:31:10 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex (apk)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/dex (gomodules)
      • -
    -
    - -
    -
    15 known vulnerabilities
    -
    41 vulnerable dependency paths
    -
    1131 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/oauth2/jws -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.24.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/oauth2/jws@v0.24.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.

    -

    Remediation

    -

    Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Server-side Request Forgery (SSRF)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http/httpproxy -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.32.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/net/http/httpproxy@v0.32.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function

    -

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.

    -

    Remediation

    -

    Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Handling of Unexpected Data Type

    -
    - -
    -
    - high severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh/agent -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh/agent@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.

    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh/agent to version 0.43.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Asymmetric Resource Consumption (Amplification)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/golang-jwt/jwt/v5 -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/golang-jwt/jwt/v5@v5.2.1 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the parse.ParseUnverified function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the Authorization header.

    -

    Remediation

    -

    Upgrade github.com/golang-jwt/jwt/v5 to version 5.2.2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Out-of-bounds Read

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh/agent -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh/agent@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Out-of-bounds Read via the SSH Agent servers. An attacker can cause a panic and disrupt service availability by sending a specially crafted, malformed message that triggers an out-of-bounds read.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh/agent to version 0.45.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the SSH servers. An attacker can exhaust system memory resources by sending GSSAPI authentication requests with an excessive number of mechanisms specified.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.45.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Observable Discrepancy

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/vault/api/auth/userpass -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api/auth/userpass@v0.8.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/hashicorp/vault/api/auth/userpass@v0.8.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Observable Discrepancy via userpass auth method. An attacker can enumerate valid usernames on this auth method through brute force or a list of known usernames.

    -

    ##Workaround

    -

    This issue can be partially mitigated by using rate-limit quotas in Vault or enabling network level controls for rate limiting that restrict access to Vault. Customers may also consider enforcing login MFA for the userpass auth mounts.

    -

    Remediation

    -

    There is no fixed version for github.com/hashicorp/vault/api/auth/userpass.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/go-jose/go-jose/v4 -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/go-jose/go-jose/v4@v4.0.2 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of strings.Split to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of . characters.

    -

    Workaround

    -

    This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of . characters.

    -

    Remediation

    -

    Upgrade github.com/go-jose/go-jose/v4 to version 4.0.5 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9230

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application trying to decrypt CMS messages encrypted using - password based encryption can trigger an out-of-bounds read and write.

    -

    Impact summary: This out-of-bounds read may trigger a crash which leads to - Denial of Service for an application. The out-of-bounds write can cause - a memory corruption which can have various consequences including - a Denial of Service or Execution of attacker-supplied code.

    -

    Although the consequences of a successful exploit of this vulnerability - could be severe, the probability that the attacker would be able to - perform it is low. Besides, password based (PWRI) encryption support in CMS - messages is very rarely used. For that reason the issue was assessed as - Moderate severity according to our Security Policy.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the CMS implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9231

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: A timing side-channel which could potentially allow remote - recovery of the private key exists in the SM2 algorithm implementation on 64 bit - ARM platforms.

    -

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit - ARM platforms could allow recovering the private key by an attacker..

    -

    While remote key recovery over a network was not attempted by the reporter, - timing measurements revealed a timing signal which may allow such an attack.

    -

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so - this CVE is not relevant in most TLS contexts. However, given that it is - possible to add support for such certificates via a custom provider, coupled - with the fact that in such a custom provider context the private key may be - recoverable via remote timing measurements, we consider this to be a Moderate - severity issue.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as SM2 is not an approved algorithm.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9232

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application using the OpenSSL HTTP client API functions may - trigger an out-of-bounds read if the 'no_proxy' environment variable is set and - the host portion of the authority component of the HTTP URL is an IPv6 address.

    -

    Impact summary: An out-of-bounds read can trigger a crash which leads to - Denial of Service for an application.

    -

    The OpenSSL HTTP client API functions can be used directly by applications - but they are also used by the OCSP client functions and CMP (Certificate - Management Protocol) client implementation in OpenSSL. However the URLs used - by these implementations are unlikely to be controlled by an attacker.

    -

    In this vulnerable code the out of bounds read can only trigger a crash. - Furthermore the vulnerability requires an attacker-controlled URL to be - passed from an application to the OpenSSL function and the user has to have - a 'no_proxy' environment variable set. For the aforementioned reasons the - issue was assessed as Low severity.

    -

    The vulnerable code was introduced in the following patch releases: - 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the HTTP client implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Synchronous Access of Remote Resource without Timeout

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/vault/api -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/hashicorp/vault/api@v1.15.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the rekey and recovery key operations. An attacker can disrupt service availability by triggering uncontrolled cancellation actions during these processes, which can lead to denial of service.

    -

    Remediation

    -

    Upgrade github.com/hashicorp/vault/api to version 1.20.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.2.5/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html b/docs/snyk/v3.2.5/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html deleted file mode 100644 index 1938a76788..0000000000 --- a/docs/snyk/v3.2.5/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html +++ /dev/null @@ -1,1359 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:31:15 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy (apk)
      • -
    -
    - -
    -
    5 known vulnerabilities
    -
    42 vulnerable dependency paths
    -
    19 dependencies
    -
    -
    -
    -
    -
    - - - - - - - -
    Project docker-image|public.ecr.aws/docker/library/haproxy
    Path public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy
    Package Manager apk
    -
    -
    -
    -
    -

    CVE-2025-9230

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application trying to decrypt CMS messages encrypted using - password based encryption can trigger an out-of-bounds read and write.

    -

    Impact summary: This out-of-bounds read may trigger a crash which leads to - Denial of Service for an application. The out-of-bounds write can cause - a memory corruption which can have various consequences including - a Denial of Service or Execution of attacker-supplied code.

    -

    Although the consequences of a successful exploit of this vulnerability - could be severe, the probability that the attacker would be able to - perform it is low. Besides, password based (PWRI) encryption support in CMS - messages is very rarely used. For that reason the issue was assessed as - Moderate severity according to our Security Policy.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the CMS implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9231

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: A timing side-channel which could potentially allow remote - recovery of the private key exists in the SM2 algorithm implementation on 64 bit - ARM platforms.

    -

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit - ARM platforms could allow recovering the private key by an attacker..

    -

    While remote key recovery over a network was not attempted by the reporter, - timing measurements revealed a timing signal which may allow such an attack.

    -

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so - this CVE is not relevant in most TLS contexts. However, given that it is - possible to add support for such certificates via a custom provider, coupled - with the fact that in such a custom provider context the private key may be - recoverable via remote timing measurements, we consider this to be a Moderate - severity issue.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as SM2 is not an approved algorithm.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9232

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application using the OpenSSL HTTP client API functions may - trigger an out-of-bounds read if the 'no_proxy' environment variable is set and - the host portion of the authority component of the HTTP URL is an IPv6 address.

    -

    Impact summary: An out-of-bounds read can trigger a crash which leads to - Denial of Service for an application.

    -

    The OpenSSL HTTP client API functions can be used directly by applications - but they are also used by the OCSP client functions and CMP (Certificate - Management Protocol) client implementation in OpenSSL. However the URLs used - by these implementations are unlikely to be controlled by an attacker.

    -

    In this vulnerable code the out of bounds read can only trigger a crash. - Furthermore the vulnerability requires an attacker-controlled URL to be - passed from an application to the OpenSSL function and the user has to have - a 'no_proxy' environment variable set. For the aforementioned reasons the - issue was assessed as Low severity.

    -

    The vulnerable code was introduced in the following patch releases: - 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the HTTP client implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.2.5/public.ecr.aws_docker_library_redis_8.2.2-alpine.html b/docs/snyk/v3.2.5/public.ecr.aws_docker_library_redis_8.2.2-alpine.html deleted file mode 100644 index a2c525cb1a..0000000000 --- a/docs/snyk/v3.2.5/public.ecr.aws_docker_library_redis_8.2.2-alpine.html +++ /dev/null @@ -1,762 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:31:21 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • public.ecr.aws/docker/library/redis:8.2.2-alpine/docker/library/redis (apk)
      • -
    -
    - -
    -
    2 known vulnerabilities
    -
    10 vulnerable dependency paths
    -
    22 dependencies
    -
    -
    -
    -
    -
    - - - - - - - -
    Project docker-image|public.ecr.aws/docker/library/redis
    Path public.ecr.aws/docker/library/redis:8.2.2-alpine/docker/library/redis
    Package Manager apk
    -
    -
    -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.22 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and busybox/busybox@1.37.0-r19 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine - - busybox/ssl_client@1.37.0-r19 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.22 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.22 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and busybox/busybox@1.37.0-r19 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine - - busybox/ssl_client@1.37.0-r19 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.22 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.2.5/quay.io_argoproj_argocd_v3.2.5.html b/docs/snyk/v3.2.5/quay.io_argoproj_argocd_v3.2.5.html deleted file mode 100644 index bd7dfc5c03..0000000000 --- a/docs/snyk/v3.2.5/quay.io_argoproj_argocd_v3.2.5.html +++ /dev/null @@ -1,2327 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:31:42 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • quay.io/argoproj/argocd:v3.2.5/argoproj/argocd/Dockerfile (deb)
      • -
    • quay.io/argoproj/argocd:v3.2.5/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.2.5//usr/local/bin/kustomize (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.2.5/helm/v3//usr/local/bin/helm (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.2.5/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
      • -
    -
    - -
    -
    17 known vulnerabilities
    -
    53 vulnerable dependency paths
    -
    2322 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Directory Traversal

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - tar -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.2.5 and tar@1.35+dfsg-3.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - tar@1.35+dfsg-3.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - dpkg@1.22.18ubuntu2.2 - - tar@1.35+dfsg-3.1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 tar.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Directory Traversal

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - pam/libpam0g -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.2.5 and pam/libpam0g@1.5.3-7ubuntu4.4 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - util-linux@2.40.2-14ubuntu1.2 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.2 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - pam/libpam-modules-bin@1.5.3-7ubuntu4.4 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - pam/libpam-modules-bin@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - pam/libpam-modules-bin@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - pam/libpam-runtime@1.5.3-7ubuntu4.4 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - util-linux@2.40.2-14ubuntu1.2 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.2 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - pam/libpam-runtime@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - util-linux@2.40.2-14ubuntu1.2 - - pam/libpam-runtime@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.2 - - pam/libpam-runtime@1.5.3-7ubuntu4.4 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 pam.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Encoding or Escaping of Output

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - git/git-man -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.2.5, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - git@1:2.48.1-0ubuntu1.1 - - git/git-man@1:2.48.1-0ubuntu1.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - git@1:2.48.1-0ubuntu1.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - git-lfs@3.6.1-1 - - git@1:2.48.1-0ubuntu1.1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 git.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Algorithmic Complexity

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - expat/libexpat1 -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.2.5, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - git@1:2.48.1-0ubuntu1.1 - - expat/libexpat1@2.7.1-1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 expat.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-11563

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.2.5, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    This vulnerability has not been analyzed by NVD yet.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-13034

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.2.5, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey - with the curl tool,curl should check the public key of the server certificate - to verify the peer.

    -

    This check was skipped in a certain condition that would then make curl allow - the connection without performing the proper check, thus not noticing a - possible impostor. To skip this check, the connection had to be done with QUIC - with ngtcp2 built to use GnuTLS and the user had to explicitly disable the - standard certificate verification.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-56433

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - shadow/login.defs -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.2.5 and shadow/login.defs@1:4.16.0-7ubuntu1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - shadow/login.defs@1:4.16.0-7ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.2 - - shadow/login.defs@1:4.16.0-7ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - shadow/login.defs@1:4.16.0-7ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - shadow/passwd@1:4.16.0-7ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - openssh/openssh-client@1:9.9p1-3ubuntu3.2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 shadow.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Double Free

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - patch -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.2.5 and patch@2.7.6-7build3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - patch@2.7.6-7build3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 patch.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Release of Invalid Pointer or Reference

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - patch -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.2.5 and patch@2.7.6-7build3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - patch@2.7.6-7build3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 patch.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Information Exposure

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - libgcrypt20 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.2.5 and libgcrypt20@1.11.0-6ubuntu1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/dirmngr@2.4.4-2ubuntu23.2 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/gpg@2.4.4-2ubuntu23.2 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/gpg-agent@2.4.4-2ubuntu23.2 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - apt@3.0.0 - - gnupg2/gpgv@2.4.4-2ubuntu23.2 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/gpg@2.4.4-2ubuntu23.2 - - gnupg2/gpgconf@2.4.4-2ubuntu23.2 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 libgcrypt20.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Out-of-bounds Write

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - gnupg2/gpgv -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.2.5 and gnupg2/gpgv@2.4.4-2ubuntu23.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/gpgv@2.4.4-2ubuntu23.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - apt@3.0.0 - - gnupg2/gpgv@2.4.4-2ubuntu23.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/dirmngr@2.4.4-2ubuntu23.2 - - gnupg2/gpgconf@2.4.4-2ubuntu23.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/gpg-agent@2.4.4-2ubuntu23.2 - - gnupg2/gpgconf@2.4.4-2ubuntu23.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/gpg@2.4.4-2ubuntu23.2 - - gnupg2/gpgconf@2.4.4-2ubuntu23.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/dirmngr@2.4.4-2ubuntu23.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/gpg@2.4.4-2ubuntu23.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - gnupg2/gpg-agent@2.4.4-2ubuntu23.2 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 gnupg2.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - glibc/libc-bin -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.2.5 and glibc/libc-bin@2.41-6ubuntu1.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - glibc/libc-bin@2.41-6ubuntu1.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - glibc/libc6@2.41-6ubuntu1.2 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 glibc.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9086

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.2.5, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -
      -
    1. A cookie is set using the secure keyword for https://target
      2. -
    2. curl is redirected to or otherwise made to speak with http://target (same - hostname, but using clear text HTTP) using the same cookie set
      3. -
    3. The same cookie name is set - but with just a slash as path (path=\&#34;/\&#34;,). - Since this site is not secure, the cookie should just be ignored.
      4. -
    4. A bug in the path comparison logic makes curl read outside a heap buffer - boundary
      5. -
    -

    The bug either causes a crash or it potentially makes the comparison come to - the wrong conclusion and lets the clear-text site override the contents of the - secure cookie, contrary to expectations and depending on the memory contents - immediately following the single-byte allocation that holds the path.

    -

    The presumed and correct behavior would be to plainly ignore the second set of - the cookie since it was already set as secure on a secure host so overriding - it on an insecure host should not be okay.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-10148

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.2.5, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    curl's websocket code did not update the 32 bit mask pattern for each new - outgoing frame as the specification says. Instead it used a fixed mask that - persisted and was used throughout the entire connection.

    -

    A predictable mask pattern allows for a malicious server to induce traffic - between the two communicating parties that could be interpreted by an involved - proxy (configured or transparent) as genuine, real, HTTP traffic with content - and thereby poison its cache. That cached poisoned content could then be - served to all users of that proxy.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-14819

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.2.5, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    When doing TLS related transfers with reused easy or multi handles and - altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally - reuse a CA store cached in memory for which the partial chain option was - reversed. Contrary to the user's wishes and expectations. This could make - libcurl find and accept a trust chain that it otherwise would not.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-14524

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.2.5, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer - performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, - POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new - target host.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Input Validation

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.2.5/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - coreutils -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.2.5 and coreutils@9.5-1ubuntu1.25.04.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.2.5 - - coreutils@9.5-1ubuntu1.25.04.2 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 coreutils.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.2.5/argocd-iac-install.html b/docs/snyk/v3.2.7/argocd-iac-install.html similarity index 99% rename from docs/snyk/v3.2.5/argocd-iac-install.html rename to docs/snyk/v3.2.7/argocd-iac-install.html index eade4d8c83..5472cfb67e 100644 --- a/docs/snyk/v3.2.5/argocd-iac-install.html +++ b/docs/snyk/v3.2.7/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    January 18th 2026, 12:33:04 am (UTC+00:00)

    +

    February 22nd 2026, 12:36:16 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v3.2.5/argocd-iac-namespace-install.html b/docs/snyk/v3.2.7/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v3.2.5/argocd-iac-namespace-install.html rename to docs/snyk/v3.2.7/argocd-iac-namespace-install.html index 9bc7b1cf96..c89715adff 100644 --- a/docs/snyk/v3.2.5/argocd-iac-namespace-install.html +++ b/docs/snyk/v3.2.7/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    January 18th 2026, 12:33:14 am (UTC+00:00)

    +

    February 22nd 2026, 12:36:27 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v3.0.22/argocd-test.html b/docs/snyk/v3.2.7/argocd-test.html similarity index 56% rename from docs/snyk/v3.0.22/argocd-test.html rename to docs/snyk/v3.2.7/argocd-test.html index 3ecaa66575..1ca5114fa7 100644 --- a/docs/snyk/v3.0.22/argocd-test.html +++ b/docs/snyk/v3.2.7/argocd-test.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -492,7 +492,7 @@

    Snyk test report

    -

    January 18th 2026, 12:36:06 am (UTC+00:00)

    +

    February 22nd 2026, 12:34:10 am (UTC+00:00)

    Scanned the following paths: @@ -504,9 +504,9 @@
    -
    11 known vulnerabilities
    -
    29 vulnerable dependency paths
    -
    2088 dependencies
    +
    21 known vulnerabilities
    +
    56 vulnerable dependency paths
    +
    2115 dependencies
    @@ -514,255 +514,6 @@
    -
    -

    Predictable Value Range from Previous Values

    -
    - -
    -
    - critical severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - form-data -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, superagent@8.1.2 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - form-data@4.0.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Predictable Value Range from Previous Values via the boundary value, which uses Math.random(). An attacker can manipulate HTTP request boundaries by exploiting predictable values, potentially leading to HTTP parameter pollution.

    -

    Remediation

    -

    Upgrade form-data to version 2.5.4, 3.0.4, 4.0.4 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Prototype Pollution

    -
    - -
    -
    - high severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - redoc -
      • - -
    • Introduced through: - - argo-cd-ui@1.0.0 and redoc@2.0.0-rc.64 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    redoc is an OpenAPI/Swagger-generated API Reference Documentation.

    -

    Affected versions of this package are vulnerable to Prototype Pollution via the mergeObjects() method in utils/helpers.ts due to improper user input sanitization.

    -

    PoC

    - 
    (async () => {
-          const lib = await import('redoc');
-        
-        var BAD_JSON = JSON.parse('{"__proto__":{"polluted":true}}');
-        var victim = {}
-        console.log("Before Attack: ", JSON.stringify(victim.__proto__));
-        try {
-          lib.mergeObjects ({}, BAD_JSON)
-        } catch (e) { }
-        console.log("After Attack: ", JSON.stringify(victim.__proto__));
-        delete Object.prototype.polluted;
-        })();
-
    -

    Details

    -

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    -

    There are two main ways in which the pollution of prototypes occurs:

    -
      -

    • Unsafe Object recursive merge

      -
      • -

    • Property definition by path

      -
      • -
    -

    Unsafe Object recursive merge

    -

    The logic of a vulnerable recursive merge function follows the following high-level model:

    - 
    merge (target, source)
-        
-          foreach property of source
-        
-            if property exists and is an object on both the target and the source
-        
-              merge(target[property], source[property])
-        
-            else
-        
-              target[property] = source[property]
-
    -
    - -

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    -

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    -

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    -

    Property definition by path

    -

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    -

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    -

    Types of attacks

    -

    There are a few methods by which Prototype Pollution can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    -

    Affected environments

    -

    The following environments are susceptible to a Prototype Pollution attack:

    -
      -

    • Application server

      -
      • -

    • Web server

      -
      • -

    • Web browser

      -
      • -
    -

    How to prevent

    -
      -

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      -
      2. -

    2. Require schema validation of JSON input.

      -
      3. -

    3. Avoid using unsafe recursive merge functions.

      -
      4. -

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      -
      5. -

    5. As a best practice use Map instead of Object.

      -
      6. -
    -

    For more information on this vulnerability type:

    -

    Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    -

    Remediation

    -

    Upgrade redoc to version 2.4.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -

    Allocation of Resources Without Limits or Throttling

    @@ -857,6 +608,634 @@

    More about this vulnerability

    +
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + minimatch +
      • + +
    • Introduced through: + + argo-cd-ui@1.0.0 and minimatch@3.1.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + minimatch@3.1.2 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + @redocly/openapi-core@1.30.0 + + minimatch@5.1.6 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    minimatch is a minimal matching utility.

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the AST class, caused by catastrophic backtracking when an input string contains many * characters in a row, followed by an unmatched character.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    Upgrade minimatch to version 10.2.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and go.opentelemetry.io/otel/sdk/resource@1.38.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/sdk/resource@1.38.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/sdk/trace@1.38.0 + + go.opentelemetry.io/otel/sdk/resource@1.38.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@1.38.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig@1.38.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace@1.38.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform@1.38.0 + + go.opentelemetry.io/otel/sdk/resource@1.38.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@1.38.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig@1.38.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace@1.38.0 + + go.opentelemetry.io/otel/sdk/trace@1.38.0 + + go.opentelemetry.io/otel/sdk/resource@1.38.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Uncaught Exception

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to Uncaught Exception in the numeric entity processing when parsing XML containing out-of-range entity code points. An attacker can cause the application to crash by submitting specially crafted XML input that triggers an uncaught exception.

    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.4 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    XML Entity Expansion

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to XML Entity Expansion in replaceEntitiesValue() when handling excessive DOCTYPE input. An attacker can cause excessive resource consumption and make the application unresponsive by submitting malicious XML input with large text entities referenced multiple times. This is a bypass for Billion Laughs protection in DocTypeReader.js, which prevents excessive referencing within and entity, but doesn't prevent repeated expansion of large entities.

    +

    Workaround

    +

    This vulnerability can be mitigated by disabling DOCTYPE parsing using the processEntities: false option.

    +

    PoC

    + 
    const { XMLParser } = require('fast-xml-parser');
+        
+        const entity = 'A'.repeat(1000);
+        const refs = '&big;'.repeat(100);
+        const xml = `<!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root>`;
+        
+        console.time('parse');
+        new XMLParser().parse(xml);
+        console.timeEnd('parse');
+
    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.6 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Incorrect Regular Expression

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to Incorrect Regular Expression in the entity parsing RegEx in DOCTYPE declarations. An attacker can inject arbitrary values that override built-in XML entities by crafting entity names containing ., which is interpreted as a regex wildcard, allowing malicious content to be substituted in place of standard entities when the XML is parsed and subsequently rendered or used in sensitive contexts.

    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + qs +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, superagent@8.1.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + qs@6.11.0 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + formidable@2.1.2 + + qs@6.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    qs is a querystring parser that supports nesting and arrays, with a depth limit.

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseArrayValue function when the comma option is in use. An attacker can exhaust system memory by submitting a parameter containing a large number of comma-separated values, resulting in the allocation of excessively large arrays.

    +

    Note: + This is only exploitable if the comma option is explicitly set to true. arrayLimit is properly enforced for index and bracket notation.

    +

    PoC

    + 
    const qs = require('qs');
+        
+        const payload = 'a=' + ','.repeat(25);  // 26 elements after split (bypasses arrayLimit: 5)
+        const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
+        
+        try {
+          const result = qs.parse(payload, options);
+          console.log(result.a.length);  // Outputs: 26 (bypass successful)
+        } catch (e) {
+          console.log('Limit enforced:', e.message);  // Not thrown
+        }
+
    +

    Remediation

    +

    Upgrade qs to version 6.14.2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    Prototype Pollution

    @@ -1003,7 +1382,7 @@

    • For more information on this vulnerability type:

    -

    Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    +

    Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    Remediation

    Upgrade min-document to version 2.19.1 or higher.

    References

    @@ -1021,6 +1400,399 @@

    More about this vulnerability

    +
    +
    +

    Prototype Pollution

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + lodash-es +
      • + +
    • Introduced through: + + argo-cd-ui@1.0.0 and lodash-es@4.17.21 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + lodash-es@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash-es@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash-es@4.17.21 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties.

    +

    Details

    +

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    +

    There are two main ways in which the pollution of prototypes occurs:

    +
      +

    • Unsafe Object recursive merge

      +
      • +

    • Property definition by path

      +
      • +
    +

    Unsafe Object recursive merge

    +

    The logic of a vulnerable recursive merge function follows the following high-level model:

    + 
    merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
    +
    + +

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    +

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    +

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    +

    Property definition by path

    +

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    +

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    +

    Types of attacks

    +

    There are a few methods by which Prototype Pollution can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    +

    Affected environments

    +

    The following environments are susceptible to a Prototype Pollution attack:

    +
      +

    • Application server

      +
      • +

    • Web server

      +
      • +

    • Web browser

      +
      • +
    +

    How to prevent

    +
      +

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      +
      2. +

    2. Require schema validation of JSON input.

      +
      3. +

    3. Avoid using unsafe recursive merge functions.

      +
      4. +

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      +
      5. +

    5. As a best practice use Map instead of Object.

      +
      6. +
    +

    For more information on this vulnerability type:

    +

    Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    +

    Remediation

    +

    Upgrade lodash-es to version 4.17.23 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Prototype Pollution

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + lodash +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, dagre@0.8.5 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + dagre@0.8.5 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + dagre@0.8.5 + + graphlib@2.1.8 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + react-hot-loader@3.1.3 + + react-proxy@3.0.0-alpha.1 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash@4.17.21 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

    +

    Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties.

    +

    Details

    +

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    +

    There are two main ways in which the pollution of prototypes occurs:

    +
      +

    • Unsafe Object recursive merge

      +
      • +

    • Property definition by path

      +
      • +
    +

    Unsafe Object recursive merge

    +

    The logic of a vulnerable recursive merge function follows the following high-level model:

    + 
    merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
    +
    + +

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    +

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    +

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    +

    Property definition by path

    +

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    +

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    +

    Types of attacks

    +

    There are a few methods by which Prototype Pollution can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    +

    Affected environments

    +

    The following environments are susceptible to a Prototype Pollution attack:

    +
      +

    • Application server

      +
      • +

    • Web server

      +
      • +

    • Web browser

      +
      • +
    +

    How to prevent

    +
      +

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      +
      2. +

    2. Require schema validation of JSON input.

      +
      3. +

    3. Avoid using unsafe recursive merge functions.

      +
      4. +

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      +
      5. +

    5. As a best practice use Map instead of Object.

      +
      6. +
    +

    For more information on this vulnerability type:

    +

    Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    +

    Remediation

    +

    Upgrade lodash to version 4.17.23 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    Prototype Pollution

    @@ -1076,9 +1848,9 @@ Introduced through: argo-cd-ui@1.0.0 - redoc@2.0.0-rc.64 + redoc@2.4.0 - @redocly/openapi-core@1.0.0-beta.82 + @redocly/openapi-core@1.30.0 js-yaml@4.1.0 @@ -1177,7 +1949,7 @@

    For more information on this vulnerability type:

    -

    Arteau, Oliver. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    +

    Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    Remediation

    Upgrade js-yaml to version 3.14.2, 4.1.1 or higher.

    References

    @@ -1192,6 +1964,695 @@

    More about this vulnerability

    +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff/v3 +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/r3labs/diff/v3@3.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/r3labs/diff/v3@3.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-version +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, code.gitea.io/sdk/gitea@0.22.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + code.gitea.io/sdk/gitea@0.22.0 + + github.com/hashicorp/go-version@1.7.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.8 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@0.142.6 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, github.com/hashicorp/go-retryablehttp@0.7.8 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@0.142.6 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@0.142.6 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/gosimple/slug@1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/gosimple/slug@1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Validation of Integrity Check Value

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-git/go-git/v5/storage/filesystem +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, github.com/go-git/go-git/v5@5.14.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5/plumbing/transport/client@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/file@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/server@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/client@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/file@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/server@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.

    +

    Workaround

    +

    This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.

    +

    Remediation

    +

    Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    +

    Regular Expression Denial of Service (ReDoS)

    @@ -1368,13 +2829,13 @@
  • Vulnerable module: - @babel/runtime + diff
  • Introduced through: - argo-cd-ui@1.0.0, history@4.10.1 and others + argo-cd-ui@1.0.0, unidiff@1.0.2 and others
    • @@ -1388,199 +2849,9 @@ Introduced through: argo-cd-ui@1.0.0 - history@4.10.1 + unidiff@1.0.2 - @babel/runtime@7.14.6 - - - - -
  • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - history@4.10.1 - - @babel/runtime@7.14.6 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - react-router@4.3.1 - - history@4.10.1 - - @babel/runtime@7.14.6 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - react-router-dom@4.3.1 - - history@4.10.1 - - @babel/runtime@7.14.6 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - react-form@2.16.3 - - react-redux@5.1.2 - - @babel/runtime@7.14.6 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - react-form@2.16.3 - - react-redux@5.1.2 - - @babel/runtime@7.14.6 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - react-router-dom@4.3.1 - - react-router@4.3.1 - - history@4.10.1 - - @babel/runtime@7.14.6 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - react-router-dom@4.3.1 - - history@4.10.1 - - @babel/runtime@7.14.6 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - react-form@2.16.3 - - react-redux@5.1.2 - - @babel/runtime@7.14.6 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - react-form@2.16.3 - - react-redux@5.1.2 - - @babel/runtime@7.14.6 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - react-router-dom@4.3.1 - - react-router@4.3.1 - - history@4.10.1 - - @babel/runtime@7.14.6 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - date-fns@2.30.0 - - @babel/runtime@7.21.5 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - react-virtualized@9.22.3 - - @babel/runtime@7.20.13 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - react-virtualized@9.22.3 - - dom-helpers@5.2.1 - - @babel/runtime@7.20.13 - - - -
    • -
  • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - polished@4.1.4 - - @babel/runtime@7.17.2 + diff@2.2.3 @@ -1592,24 +2863,8 @@

    Overview

    -

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the replace() method in wrapRegExp.js. An attacker can cause degradation in performance by supplying input strings that exploit the quadratic complexity of the replacement algorithm.

    -

    This is only exploitable when all of the following conditions are met:

    -
      -

    1. The code passes untrusted strings in the second argument to .replace().

      -
      2. -

    2. The compiled regular expressions being applied contain named capture groups.

      -
      3. -
    -

    In the case of @babel/preset-env, if the targets option is in use the application will be vulnerable under either of the following conditions:

    -
      -

    1. A browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10 is used when processing named capture groups.

      -
      2. -

    2. A browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23 is used when processing duplicated named capture groups.

      -
      3. -
    -

    Note: The project maintainers advise that "just updating your Babel dependencies is not enough: you will also need to re-compile your code."

    -

    Workaround

    -

    This vulnerability can be avoided by filtering out input containing a $< that is not followed by a >.

    +

    diff is a javascript text differencing implementation.

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the parsePatch() and applyPatch() functions if the user input passed without sanitisation. An attacker can cause the process to enter an infinite loop and exhaust system memory by providing a patch with filename headers containing \r, \u2028, or \u2029 characters or having control over patch's patch header for application generated patches.

    Details

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    @@ -1672,98 +2927,18 @@

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    Remediation

    -

    Upgrade @babel/runtime to version 7.26.10, 8.0.0-alpha.17 or higher.

    +

    Upgrade diff to version 3.5.1, 4.0.4, 5.2.2, 8.0.3 or higher.

    References

    -

    More about this vulnerability

    -
    - -
    • -
    -

    Arbitrary Code Injection

    -
    - -
    -
    - low severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - prismjs -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - prismjs@1.27.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    prismjs is a lightweight, robust, elegant syntax highlighting library.

    -

    Affected versions of this package are vulnerable to Arbitrary Code Injection via the document.currentScript lookup process. An attacker can manipulate the web page content and execute unintended actions by injecting HTML elements that overshadow legitimate DOM elements.

    -

    Note:

    -

    This is only exploitable if the application accepts untrusted input containing HTML but not direct JavaScript.

    -

    Remediation

    -

    Upgrade prismjs to version 1.30.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -1841,156 +3016,6 @@

    More about this vulnerability

    -
    -
    -

    Cross-site Scripting (XSS)

    -
    - -
    -
    - low severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - dompurify -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, redoc@2.0.0-rc.64 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.0.0-rc.64 - - dompurify@2.5.6 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

    -

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to incorrect handling of template literals in regular expressions. An attacker can manipulate the output of the script by injecting malicious payloads that bypass the dompurify sanitization.

    -

    PoC

    - 
    DOMPurify.sanitize(
-          `<math><foo-test><mi><li><table><foo-test><li></li></foo-test><a>
-              <style>
-                <! \${
-              </style>
-              }
-              <foo-b id="><img src onerror='alert(1)'>">hmm...</foo-b>
-            </a></table></li></mi></foo-test></math>
-          `,
-          {
-            SAFE_FOR_TEMPLATES: true,
-            CUSTOM_ELEMENT_HANDLING: {
-              tagNameCheck: /^foo-/,
-            },
-          }
-        );
-
    -

    Details

    -

    Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

    -

    This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

    -

    Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

    -

    Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

    -

    The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

    -

    Types of attacks

    -

    There are a few methods by which XSS can be manipulated:

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    TypeOriginDescription
    StoredServerThe malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
    ReflectedServerThe attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
    DOM-basedClientThe attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
    MutatedThe attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.
    -

    Affected environments

    -

    The following environments are susceptible to an XSS attack:

    -
      -
    • Web servers
      • -
    • Application servers
      • -
    • Web application environments
      • -
    -

    How to prevent

    -

    This section describes the top best practices designed to specifically protect your code:

    -
      -
    • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
      • -
    • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
      • -
    • Give users the option to disable client-side scripts.
      • -
    • Redirect invalid requests.
      • -
    • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
      • -
    • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
      • -
    • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.
      • -
    -

    Remediation

    -

    Upgrade dompurify to version 3.2.4 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    -

    Regular Expression Denial of Service (ReDoS)

    @@ -2048,13 +3073,13 @@ Introduced through: argo-cd-ui@1.0.0 - redoc@2.0.0-rc.64 + redoc@2.4.0 - @redocly/openapi-core@1.0.0-beta.82 + @redocly/openapi-core@1.30.0 - minimatch@3.1.2 + minimatch@5.1.6 - brace-expansion@1.1.11 + brace-expansion@2.0.1 diff --git a/docs/snyk/v3.2.7/ghcr.io_dexidp_dex_v2.43.0.html b/docs/snyk/v3.2.7/ghcr.io_dexidp_dex_v2.43.0.html new file mode 100644 index 0000000000..36e1055493 --- /dev/null +++ b/docs/snyk/v3.2.7/ghcr.io_dexidp_dex_v2.43.0.html @@ -0,0 +1,5010 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:34:17 am (UTC+00:00)

    +
    +
    + Scanned the following paths: +
      +
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex (apk)
      • +
    • ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
      • +
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
      • +
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/dex (gomodules)
      • +
    +
    + +
    +
    46 known vulnerabilities
    +
    141 vulnerable dependency paths
    +
    1131 dependencies
    +
    +
    +
    +
    + +
    +
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/oauth2/jws +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.24.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/oauth2/jws@v0.24.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.

    +

    Remediation

    +

    Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Server-side Request Forgery (SSRF)

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/http/httpproxy +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.32.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/net/http/httpproxy@v0.32.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function

    +

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.

    +

    Remediation

    +

    Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Handling of Unexpected Data Type

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh/agent +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh/agent@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh/agent to version 0.43.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and go.opentelemetry.io/otel/sdk/resource@v1.33.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + go.opentelemetry.io/otel/sdk/resource@v1.33.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Asymmetric Resource Consumption (Amplification)

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/golang-jwt/jwt/v5 +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/golang-jwt/jwt/v5@v5.2.1 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the parse.ParseUnverified function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the Authorization header.

    +

    Remediation

    +

    Upgrade github.com/golang-jwt/jwt/v5 to version 5.2.2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Algorithmic Complexity

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Infinite loop

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Out-of-bounds Read

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh/agent +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh/agent@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Out-of-bounds Read via the SSH Agent servers. An attacker can cause a panic and disrupt service availability by sending a specially crafted, malformed message that triggers an out-of-bounds read.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh/agent to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the SSH servers. An attacker can exhaust system memory resources by sending GSSAPI authentication requests with an excessive number of mechanisms specified.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/vault/api +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/vault/api@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/serf/coordinate +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/serf/coordinate@v0.10.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/serf/coordinate@v0.10.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/hcl/v2 +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and github.com/hashicorp/hcl/v2@v2.13.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/ext/customdecode@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/ext/tryfunc@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/gohcl@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclparse@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclsyntax@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclwrite@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/json@v2.13.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/hcl +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/hcl@v1.0.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/hcl@v1.0.0 + + + +
      • +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/hcl/hcl/token@v1.0.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/golang-lru/simplelru +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/golang-lru/simplelru@v1.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/golang-lru/simplelru@v1.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-uuid +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-uuid@v1.0.3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-uuid@v1.0.3 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-sockaddr +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-sockaddr@v1.0.7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-sockaddr@v1.0.7 + + + +
      • +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-sockaddr/template@v1.0.7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/strutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/parseutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/awsutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-rootcerts +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-rootcerts@v1.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-rootcerts@v1.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-retryablehttp@v0.7.7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-retryablehttp@v0.7.7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-multierror +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-multierror@v1.1.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-immutable-radix +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-immutable-radix@v1.3.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-immutable-radix@v1.3.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-cleanhttp@v0.5.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-cleanhttp@v0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/errwrap +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/errwrap@v1.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/errwrap@v1.1.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/gosimple/slug@v1.14.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/gosimple/slug@v1.14.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/go-sql-driver/mysql +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and github.com/go-sql-driver/mysql@v1.9.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/go-sql-driver/mysql@v1.9.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-jose/go-jose/v4 +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/go-jose/go-jose/v4@v4.0.2 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of strings.Split to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of . characters.

    +

    Workaround

    +

    This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of . characters.

    +

    Remediation

    +

    Upgrade github.com/go-jose/go-jose/v4 to version 4.0.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Initialization

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + filippo.io/edwards25519 +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and filippo.io/edwards25519@v1.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + filippo.io/edwards25519@v1.1.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Initialization via the MultiScalarMult function when the receiver is not properly initialized. An attacker can cause invalid results or undefined behavior by invoking this function on an uninitialized or non-identity receiver.

    +

    Remediation

    +

    Upgrade filippo.io/edwards25519 to version 1.1.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9230

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application trying to decrypt CMS messages encrypted using + password based encryption can trigger an out-of-bounds read and write.

    +

    Impact summary: This out-of-bounds read may trigger a crash which leads to + Denial of Service for an application. The out-of-bounds write can cause + a memory corruption which can have various consequences including + a Denial of Service or Execution of attacker-supplied code.

    +

    Although the consequences of a successful exploit of this vulnerability + could be severe, the probability that the attacker would be able to + perform it is low. Besides, password based (PWRI) encryption support in CMS + messages is very rarely used. For that reason the issue was assessed as + Moderate severity according to our Security Policy.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9231

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A timing side-channel which could potentially allow remote + recovery of the private key exists in the SM2 algorithm implementation on 64 bit + ARM platforms.

    +

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit + ARM platforms could allow recovering the private key by an attacker..

    +

    While remote key recovery over a network was not attempted by the reporter, + timing measurements revealed a timing signal which may allow such an attack.

    +

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so + this CVE is not relevant in most TLS contexts. However, given that it is + possible to add support for such certificates via a custom provider, coupled + with the fact that in such a custom provider context the private key may be + recoverable via remote timing measurements, we consider this to be a Moderate + severity issue.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as SM2 is not an approved algorithm.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9232

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application using the OpenSSL HTTP client API functions may + trigger an out-of-bounds read if the 'no_proxy' environment variable is set and + the host portion of the authority component of the HTTP URL is an IPv6 address.

    +

    Impact summary: An out-of-bounds read can trigger a crash which leads to + Denial of Service for an application.

    +

    The OpenSSL HTTP client API functions can be used directly by applications + but they are also used by the OCSP client functions and CMP (Certificate + Management Protocol) client implementation in OpenSSL. However the URLs used + by these implementations are unlikely to be controlled by an attacker.

    +

    In this vulnerable code the out of bounds read can only trigger a crash. + Furthermore the vulnerability requires an attacker-controlled URL to be + passed from an application to the OpenSSL function and the user has to have + a 'no_proxy' environment variable set. For the aforementioned reasons the + issue was assessed as Low severity.

    +

    The vulnerable code was introduced in the following patch releases: + 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the HTTP client implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15468

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

    +

    Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

    +

    Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

    +

    As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

    +

    The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-66199

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

    +

    Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

    +

    In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

    +

    This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

    +

    Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Synchronous Access of Remote Resource without Timeout

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/hashicorp/vault/api +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/vault/api@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the rekey and recovery key operations. An attacker can disrupt service availability by triggering uncontrolled cancellation actions during these processes, which can lead to denial of service.

    +

    Remediation

    +

    Upgrade github.com/hashicorp/vault/api to version 1.20.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-58251

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-46394

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.2.7/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html b/docs/snyk/v3.2.7/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html new file mode 100644 index 0000000000..800c4fa406 --- /dev/null +++ b/docs/snyk/v3.2.7/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html @@ -0,0 +1,3286 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:34:23 am (UTC+00:00)

    +
    +
    + Scanned the following path: +
      +
    • public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy (apk)
      • +
    +
    + +
    +
    15 known vulnerabilities
    +
    142 vulnerable dependency paths
    +
    19 dependencies
    +
    +
    +
    +
    +
    + + + + + + + +
    Project docker-image|public.ecr.aws/docker/library/haproxy
    Path public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy
    Package Manager apk
    +
    +
    +
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9230

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application trying to decrypt CMS messages encrypted using + password based encryption can trigger an out-of-bounds read and write.

    +

    Impact summary: This out-of-bounds read may trigger a crash which leads to + Denial of Service for an application. The out-of-bounds write can cause + a memory corruption which can have various consequences including + a Denial of Service or Execution of attacker-supplied code.

    +

    Although the consequences of a successful exploit of this vulnerability + could be severe, the probability that the attacker would be able to + perform it is low. Besides, password based (PWRI) encryption support in CMS + messages is very rarely used. For that reason the issue was assessed as + Moderate severity according to our Security Policy.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9231

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A timing side-channel which could potentially allow remote + recovery of the private key exists in the SM2 algorithm implementation on 64 bit + ARM platforms.

    +

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit + ARM platforms could allow recovering the private key by an attacker..

    +

    While remote key recovery over a network was not attempted by the reporter, + timing measurements revealed a timing signal which may allow such an attack.

    +

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so + this CVE is not relevant in most TLS contexts. However, given that it is + possible to add support for such certificates via a custom provider, coupled + with the fact that in such a custom provider context the private key may be + recoverable via remote timing measurements, we consider this to be a Moderate + severity issue.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as SM2 is not an approved algorithm.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9232

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application using the OpenSSL HTTP client API functions may + trigger an out-of-bounds read if the 'no_proxy' environment variable is set and + the host portion of the authority component of the HTTP URL is an IPv6 address.

    +

    Impact summary: An out-of-bounds read can trigger a crash which leads to + Denial of Service for an application.

    +

    The OpenSSL HTTP client API functions can be used directly by applications + but they are also used by the OCSP client functions and CMP (Certificate + Management Protocol) client implementation in OpenSSL. However the URLs used + by these implementations are unlikely to be controlled by an attacker.

    +

    In this vulnerable code the out of bounds read can only trigger a crash. + Furthermore the vulnerability requires an attacker-controlled URL to be + passed from an application to the OpenSSL function and the user has to have + a 'no_proxy' environment variable set. For the aforementioned reasons the + issue was assessed as Low severity.

    +

    The vulnerable code was introduced in the following patch releases: + 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the HTTP client implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15468

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

    +

    Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

    +

    Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

    +

    As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

    +

    The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-66199

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

    +

    Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

    +

    In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

    +

    This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

    +

    Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-58251

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-46394

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.2.7/public.ecr.aws_docker_library_redis_8.2.2-alpine.html b/docs/snyk/v3.2.7/public.ecr.aws_docker_library_redis_8.2.2-alpine.html new file mode 100644 index 0000000000..464edfb6cd --- /dev/null +++ b/docs/snyk/v3.2.7/public.ecr.aws_docker_library_redis_8.2.2-alpine.html @@ -0,0 +1,3126 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:34:29 am (UTC+00:00)

    +
    +
    + Scanned the following path: +
      +
    • public.ecr.aws/docker/library/redis:8.2.2-alpine/docker/library/redis (apk)
      • +
    +
    + +
    +
    14 known vulnerabilities
    +
    130 vulnerable dependency paths
    +
    22 dependencies
    +
    +
    +
    +
    +
    + + + + + + + +
    Project docker-image|public.ecr.aws/docker/library/redis
    Path public.ecr.aws/docker/library/redis:8.2.2-alpine/docker/library/redis
    Package Manager apk
    +
    +
    +
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-11187

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation + which can trigger a stack-based buffer overflow, invalid pointer or NULL + pointer dereference during MAC verification.

    +

    Impact summary: The stack buffer overflow or NULL pointer dereference may + cause a crash leading to Denial of Service for an application that parses + untrusted PKCS#12 files. The buffer overflow may also potentially enable + code execution depending on platform mitigations.

    +

    When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 + salt and keylength parameters from the file are used without validation. + If the value of keylength exceeds the size of the fixed stack buffer used + for the derived key (64 bytes), the key derivation will overflow the buffer. + The overflow length is attacker-controlled. Also, if the salt parameter is + not an OCTET STRING type this can lead to invalid or NULL pointer + dereference.

    +

    Exploiting this issue requires a user or application to process + a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted + PKCS#12 files in applications as they are usually used to store private + keys which are trusted by definition. For this reason the issue was assessed + as Moderate severity.

    +

    The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as + PKCS#12 processing is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue.

    +

    OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do + not support PBMAC1 in PKCS#12.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15469

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: The 'openssl dgst' command-line tool silently truncates input + data to 16MB when using one-shot signing algorithms and reports success instead + of an error.

    +

    Impact summary: A user signing or verifying files larger than 16MB with + one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire + file is authenticated while trailing data beyond 16MB remains unauthenticated.

    +

    When the 'openssl dgst' command is used with algorithms that only support + one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input + is buffered with a 16MB limit. If the input exceeds this limit, the tool + silently truncates to the first 16MB and continues without signaling an error, + contrary to what the documentation states. This creates an integrity gap where + trailing bytes can be modified without detection if both signing and + verification are performed using the same affected codepath.

    +

    The issue affects only the command-line tool behavior. Verifiers that process + the full message using library APIs will reject the signature, so the risk + primarily affects workflows that both sign and verify with the affected + 'openssl dgst' command. Streaming digest algorithms for 'openssl dgst' and + library users are unaffected.

    +

    The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the + command-line tools are outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.5 and 3.6 are vulnerable to this issue.

    +

    OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-66199

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

    +

    Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

    +

    In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

    +

    This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

    +

    Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15468

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

    +

    Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

    +

    Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

    +

    As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

    +

    The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and openssl/libcrypto3@3.5.4-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libcrypto3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + .redis-rundeps@20251008.230521 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + apk-tools/apk-tools@2.14.9-r3 + + apk-tools/libapk2@2.14.9-r3 + + openssl/libssl3@3.5.4-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.22 openssl to version 3.5.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-46394

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and busybox/busybox@1.37.0-r19 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/busybox@1.37.0-r19 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + alpine-baselayout/alpine-baselayout@3.7.0-r0 + + busybox/busybox-binsh@1.37.0-r19 + + busybox/busybox@1.37.0-r19 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/busybox-binsh@1.37.0-r19 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + alpine-baselayout/alpine-baselayout@3.7.0-r0 + + busybox/busybox-binsh@1.37.0-r19 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    +

    Remediation

    +

    Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-58251

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.22 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine and busybox/busybox@1.37.0-r19 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/busybox@1.37.0-r19 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + alpine-baselayout/alpine-baselayout@3.7.0-r0 + + busybox/busybox-binsh@1.37.0-r19 + + busybox/busybox@1.37.0-r19 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/busybox-binsh@1.37.0-r19 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + alpine-baselayout/alpine-baselayout@3.7.0-r0 + + busybox/busybox-binsh@1.37.0-r19 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/redis@8.2.2-alpine + + busybox/ssl_client@1.37.0-r19 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.22 relevant fixed versions and status.

    +

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    +

    Remediation

    +

    Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.2.7/quay.io_argoproj_argocd_v3.2.7.html b/docs/snyk/v3.2.7/quay.io_argoproj_argocd_v3.2.7.html new file mode 100644 index 0000000000..773d5e1e2a --- /dev/null +++ b/docs/snyk/v3.2.7/quay.io_argoproj_argocd_v3.2.7.html @@ -0,0 +1,1282 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:34:50 am (UTC+00:00)

    +
    +
    + Scanned the following paths: +
      +
    • quay.io/argoproj/argocd:v3.2.7/argoproj/argocd/Dockerfile (deb)
      • +
    • quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
      • +
    • quay.io/argoproj/argocd:v3.2.7//usr/local/bin/kustomize (gomodules)
      • +
    • quay.io/argoproj/argocd:v3.2.7/helm/v3//usr/local/bin/helm (gomodules)
      • +
    • quay.io/argoproj/argocd:v3.2.7/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
      • +
    +
    + +
    +
    11 known vulnerabilities
    +
    12 vulnerable dependency paths
    +
    2322 dependencies
    +
    +
    +
    +
    + +
    +
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and go.opentelemetry.io/otel/sdk/resource@v1.38.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + go.opentelemetry.io/otel/sdk/resource@v1.38.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Algorithmic Complexity

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/helm/v3 /usr/local/bin/helm +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and golang.org/x/net/html@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + golang.org/x/net/html@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Infinite loop

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/helm/v3 /usr/local/bin/helm +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and golang.org/x/net/html@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + golang.org/x/net/html@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff/v3 +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/r3labs/diff/v3@v3.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/r3labs/diff/v3@v3.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-version +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-version@v1.7.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-version@v1.7.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.8 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-retryablehttp@v0.7.8 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/helm/v3 /usr/local/bin/helm +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-multierror +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-cleanhttp@v0.5.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-cleanhttp@v0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/gosimple/slug@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/gosimple/slug@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Validation of Integrity Check Value

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-git/go-git/v5/storage/filesystem +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/go-git/go-git/v5/storage/filesystem@v5.14.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/go-git/go-git/v5/storage/filesystem@v5.14.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.

    +

    Workaround

    +

    This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.

    +

    Remediation

    +

    Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.2.7/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:25.04 +
      • +
    • + Vulnerable module: + + glibc/libc-bin +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.2.7 and glibc/libc-bin@2.41-6ubuntu1.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.2.7 + + glibc/libc-bin@2.41-6ubuntu1.2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.2.7 + + glibc/libc6@2.41-6ubuntu1.2 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. + See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    +

    sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:25.04 glibc.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.3.0-rc3/argocd-test.html b/docs/snyk/v3.3.0-rc3/argocd-test.html deleted file mode 100644 index 5c4883693f..0000000000 --- a/docs/snyk/v3.3.0-rc3/argocd-test.html +++ /dev/null @@ -1,1024 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:28:05 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • /argo-cd/argoproj/gitops-engine/gitops-engine/go.mod (gomodules)
      • -
    • /argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)
      • -
    • /argo-cd/ui/yarn.lock (yarn)
      • -
    -
    - -
    -
    4 known vulnerabilities
    -
    8 vulnerable dependency paths
    -
    1012 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - qs -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, superagent@8.1.2 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - qs@6.11.0 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - formidable@2.1.2 - - qs@6.11.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    qs is a querystring parser that supports nesting and arrays, with a depth limit.

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can exhaust server memory and cause application unavailability by submitting a large number of bracket notation parameters - like a[]=1&a[]=2 - in a single HTTP request.

    -

    PoC

    - 
    
-        const qs = require('qs');
-        const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
-        const result = qs.parse(attack, { arrayLimit: 100 });
-        console.log(result.a.length);  // Output: 10000 (should be max 100)
-
    -

    Remediation

    -

    Upgrade qs to version 6.14.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Regular Expression Denial of Service (ReDoS)

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - foundation-sites -
      • - -
    • Introduced through: - - argo-cd-ui@1.0.0 and foundation-sites@6.8.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - foundation-sites@6.8.1 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - foundation-sites@6.8.1 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    foundation-sites is a responsive front-end framework

    -

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient backtracking in the regular expressions used in URL forms.

    -

    PoC

    - 
    https://www.''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    -

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    -

    Let’s take the following regular expression as an example:

    - 
    regex = /A(B|C+)+D/
-
    -

    This regular expression accomplishes the following:

    -
      -
    • A The string must start with the letter 'A'
      • -
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • -
    • D Finally, we ensure this section of the string ends with a 'D'
      • -
    -

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    -

    It most cases, it doesn't take very long for a regex engine to find a match:

    - 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
    -

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    -

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    -

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    -
      -
    1. CCC
      2. -
    2. CC+C
      3. -
    3. C+CC
      4. -
    4. C+C+C.
      5. -
    -

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    -

    From there, the number of steps the engine must use to validate a string just continues to grow.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    -

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    -

    Remediation

    -

    There is no fixed version for foundation-sites.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Insecure Randomness

    -
    - -
    -
    - low severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - formidable -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, superagent@8.1.2 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - superagent@8.1.2 - - formidable@2.1.2 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Insecure Randomness due to its use of the hexoid() function in the generation of fingerprint IDs.

    -

    Remediation

    -

    Upgrade formidable to version 2.1.3, 3.5.3 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Regular Expression Denial of Service (ReDoS)

    -
    - -
    -
    - low severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: /argo-cd ui/yarn.lock -
      • -
    • - Package Manager: npm -
      • -
    • - Vulnerable module: - - brace-expansion -
      • - -
    • Introduced through: - - - argo-cd-ui@1.0.0, argo-ui@1.0.0 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - argo-cd-ui@1.0.0 - - argo-ui@1.0.0 - - minimatch@5.1.6 - - brace-expansion@2.0.1 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - redoc@2.4.0 - - @redocly/openapi-core@1.30.0 - - minimatch@5.1.6 - - brace-expansion@2.0.1 - - - -
      • -
    • - Introduced through: - argo-cd-ui@1.0.0 - - minimatch@3.1.2 - - brace-expansion@1.1.11 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    brace-expansion is a Brace expansion as known from sh/bash

    -

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the expand() function, which is prone to catastrophic backtracking on very long malicious inputs.

    -

    PoC

    - 
    import index from "./index.js";
-        
-        let str = "{a}" + ",".repeat(100000) + "\u0000";
-        
-        let startTime = performance.now();
-        
-        const result = index(str);
-        
-        let endTime = performance.now();
-        
-        let timeTaken = endTime - startTime;
-        
-        console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`);
-
    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    -

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    -

    Let’s take the following regular expression as an example:

    - 
    regex = /A(B|C+)+D/
-
    -

    This regular expression accomplishes the following:

    -
      -
    • A The string must start with the letter 'A'
      • -
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • -
    • D Finally, we ensure this section of the string ends with a 'D'
      • -
    -

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    -

    It most cases, it doesn't take very long for a regex engine to find a match:

    - 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
-        0.04s user 0.01s system 95% cpu 0.052 total
-        
-        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
-        1.79s user 0.02s system 99% cpu 1.812 total
-
    -

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    -

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    -

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    -
      -
    1. CCC
      2. -
    2. CC+C
      3. -
    3. C+CC
      4. -
    4. C+C+C.
      5. -
    -

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    -

    From there, the number of steps the engine must use to validate a string just continues to grow.

    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    -

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    -

    Remediation

    -

    Upgrade brace-expansion to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.3.0-rc3/ghcr.io_dexidp_dex_v2.43.0.html b/docs/snyk/v3.3.0-rc3/ghcr.io_dexidp_dex_v2.43.0.html deleted file mode 100644 index 66b55f52ad..0000000000 --- a/docs/snyk/v3.3.0-rc3/ghcr.io_dexidp_dex_v2.43.0.html +++ /dev/null @@ -1,1993 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:28:13 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex (apk)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
      • -
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/dex (gomodules)
      • -
    -
    - -
    -
    15 known vulnerabilities
    -
    41 vulnerable dependency paths
    -
    1131 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/oauth2/jws -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.24.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/oauth2/jws@v0.24.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.

    -

    Remediation

    -

    Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Server-side Request Forgery (SSRF)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/net/http/httpproxy -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.32.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/net/http/httpproxy@v0.32.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function

    -

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.

    -

    Remediation

    -

    Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Handling of Unexpected Data Type

    -
    - -
    -
    - high severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh/agent -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh/agent@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.

    -

    Details

    -

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    -

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    -

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    -

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    -

    Two common types of DoS vulnerabilities:

    -
      -

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      -
      • -

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      -
      • -
    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh/agent to version 0.43.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Asymmetric Resource Consumption (Amplification)

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/golang-jwt/jwt/v5 -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/golang-jwt/jwt/v5@v5.2.1 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the parse.ParseUnverified function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the Authorization header.

    -

    Remediation

    -

    Upgrade github.com/golang-jwt/jwt/v5 to version 5.2.2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Out-of-bounds Read

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh/agent -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh/agent@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Out-of-bounds Read via the SSH Agent servers. An attacker can cause a panic and disrupt service availability by sending a specially crafted, malformed message that triggers an out-of-bounds read.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh/agent to version 0.45.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - golang.org/x/crypto/ssh -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - golang.org/x/crypto/ssh@v0.31.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    golang.org/x/crypto/ssh is a SSH client and server

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the SSH servers. An attacker can exhaust system memory resources by sending GSSAPI authentication requests with an excessive number of mechanisms specified.

    -

    Remediation

    -

    Upgrade golang.org/x/crypto/ssh to version 0.45.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Observable Discrepancy

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Proof of Concept -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/vault/api/auth/userpass -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api/auth/userpass@v0.8.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/hashicorp/vault/api/auth/userpass@v0.8.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Observable Discrepancy via userpass auth method. An attacker can enumerate valid usernames on this auth method through brute force or a list of known usernames.

    -

    ##Workaround

    -

    This issue can be partially mitigated by using rate-limit quotas in Vault or enabling network level controls for rate limiting that restrict access to Vault. Customers may also consider enforcing login MFA for the userpass auth mounts.

    -

    Remediation

    -

    There is no fixed version for github.com/hashicorp/vault/api/auth/userpass.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/go-jose/go-jose/v4 -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/go-jose/go-jose/v4@v4.0.2 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of strings.Split to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of . characters.

    -

    Workaround

    -

    This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of . characters.

    -

    Remediation

    -

    Upgrade github.com/go-jose/go-jose/v4 to version 4.0.5 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9230

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application trying to decrypt CMS messages encrypted using - password based encryption can trigger an out-of-bounds read and write.

    -

    Impact summary: This out-of-bounds read may trigger a crash which leads to - Denial of Service for an application. The out-of-bounds write can cause - a memory corruption which can have various consequences including - a Denial of Service or Execution of attacker-supplied code.

    -

    Although the consequences of a successful exploit of this vulnerability - could be severe, the probability that the attacker would be able to - perform it is low. Besides, password based (PWRI) encryption support in CMS - messages is very rarely used. For that reason the issue was assessed as - Moderate severity according to our Security Policy.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the CMS implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9231

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: A timing side-channel which could potentially allow remote - recovery of the private key exists in the SM2 algorithm implementation on 64 bit - ARM platforms.

    -

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit - ARM platforms could allow recovering the private key by an attacker..

    -

    While remote key recovery over a network was not attempted by the reporter, - timing measurements revealed a timing signal which may allow such an attack.

    -

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so - this CVE is not relevant in most TLS contexts. However, given that it is - possible to add support for such certificates via a custom provider, coupled - with the fact that in such a custom provider context the private key may be - recoverable via remote timing measurements, we consider this to be a Moderate - severity issue.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as SM2 is not an approved algorithm.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9232

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application using the OpenSSL HTTP client API functions may - trigger an out-of-bounds read if the 'no_proxy' environment variable is set and - the host portion of the authority component of the HTTP URL is an IPv6 address.

    -

    Impact summary: An out-of-bounds read can trigger a crash which leads to - Denial of Service for an application.

    -

    The OpenSSL HTTP client API functions can be used directly by applications - but they are also used by the OCSP client functions and CMP (Certificate - Management Protocol) client implementation in OpenSSL. However the URLs used - by these implementations are unlikely to be controlled by an attacker.

    -

    In this vulnerable code the out of bounds read can only trigger a crash. - Furthermore the vulnerability requires an attacker-controlled URL to be - passed from an application to the OpenSSL function and the user has to have - a 'no_proxy' environment variable set. For the aforementioned reasons the - issue was assessed as Low severity.

    -

    The vulnerable code was introduced in the following patch releases: - 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the HTTP client implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Synchronous Access of Remote Resource without Timeout

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/hashicorp/vault/api -
      • - -
    • Introduced through: - - github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/hairyhenderson/gomplate/v4@* - - github.com/hashicorp/vault/api@v1.15.0 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the rekey and recovery key operations. An attacker can disrupt service availability by triggering uncontrolled cancellation actions during these processes, which can lead to denial of service.

    -

    Remediation

    -

    Upgrade github.com/hashicorp/vault/api to version 1.20.0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|ghcr.io/dexidp/dex@v2.43.0 - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.3.0-rc3/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html b/docs/snyk/v3.3.0-rc3/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html deleted file mode 100644 index 648b55d8b7..0000000000 --- a/docs/snyk/v3.3.0-rc3/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html +++ /dev/null @@ -1,1359 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:28:17 am (UTC+00:00)

    -
    -
    - Scanned the following path: -
      -
    • public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy (apk)
      • -
    -
    - -
    -
    5 known vulnerabilities
    -
    42 vulnerable dependency paths
    -
    19 dependencies
    -
    -
    -
    -
    -
    - - - - - - - -
    Project docker-image|public.ecr.aws/docker/library/haproxy
    Path public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy
    Package Manager apk
    -
    -
    -
    -
    -

    CVE-2025-9230

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application trying to decrypt CMS messages encrypted using - password based encryption can trigger an out-of-bounds read and write.

    -

    Impact summary: This out-of-bounds read may trigger a crash which leads to - Denial of Service for an application. The out-of-bounds write can cause - a memory corruption which can have various consequences including - a Denial of Service or Execution of attacker-supplied code.

    -

    Although the consequences of a successful exploit of this vulnerability - could be severe, the probability that the attacker would be able to - perform it is low. Besides, password based (PWRI) encryption support in CMS - messages is very rarely used. For that reason the issue was assessed as - Moderate severity according to our Security Policy.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the CMS implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9231

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: A timing side-channel which could potentially allow remote - recovery of the private key exists in the SM2 algorithm implementation on 64 bit - ARM platforms.

    -

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit - ARM platforms could allow recovering the private key by an attacker..

    -

    While remote key recovery over a network was not attempted by the reporter, - timing measurements revealed a timing signal which may allow such an attack.

    -

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so - this CVE is not relevant in most TLS contexts. However, given that it is - possible to add support for such certificates via a custom provider, coupled - with the fact that in such a custom provider context the private key may be - recoverable via remote timing measurements, we consider this to be a Moderate - severity issue.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as SM2 is not an approved algorithm.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9232

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - openssl/libcrypto3 -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - openssl/libcrypto3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - .haproxy-rundeps@20250214.191219 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - apk-tools/apk-tools@2.14.6-r3 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - openssl/libssl3@3.3.3-r0 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    Issue summary: An application using the OpenSSL HTTP client API functions may - trigger an out-of-bounds read if the 'no_proxy' environment variable is set and - the host portion of the authority component of the HTTP URL is an IPv6 address.

    -

    Impact summary: An out-of-bounds read can trigger a crash which leads to - Denial of Service for an application.

    -

    The OpenSSL HTTP client API functions can be used directly by applications - but they are also used by the OCSP client functions and CMP (Certificate - Management Protocol) client implementation in OpenSSL. However the URLs used - by these implementations are unlikely to be controlled by an attacker.

    -

    In this vulnerable code the out of bounds read can only trigger a crash. - Furthermore the vulnerability requires an attacker-controlled URL to be - passed from an application to the OpenSSL function and the user has to have - a 'no_proxy' environment variable set. For the aforementioned reasons the - issue was assessed as Low severity.

    -

    The vulnerable code was introduced in the following patch releases: - 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    -

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this - issue, as the HTTP client implementation is outside the OpenSSL FIPS module - boundary.

    -

    Remediation

    -

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.21 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - busybox/busybox@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - alpine-baselayout/alpine-baselayout@3.6.8-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - ca-certificates/ca-certificates@20241121-r1 - - busybox/busybox-binsh@1.37.0-r12 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine - - busybox/ssl_client@1.37.0-r12 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.21 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.3.0-rc3/quay.io_argoproj_argocd_v3.3.0-rc3.html b/docs/snyk/v3.3.0-rc3/quay.io_argoproj_argocd_v3.3.0-rc3.html deleted file mode 100644 index 364773cc3f..0000000000 --- a/docs/snyk/v3.3.0-rc3/quay.io_argoproj_argocd_v3.3.0-rc3.html +++ /dev/null @@ -1,2556 +0,0 @@ - - - - - - - - - Snyk test report - - - - - - - - - -
    -
    -
    -
    - - - Snyk - Open Source Security - - - - - - - -
    -

    Snyk test report

    - -

    January 18th 2026, 12:28:47 am (UTC+00:00)

    -
    -
    - Scanned the following paths: -
      -
    • quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd/Dockerfile (deb)
      • -
    • quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.3.0-rc3//usr/local/bin/kustomize (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.3.0-rc3/helm/v3//usr/local/bin/helm (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.3.0-rc3/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
      • -
    -
    - -
    -
    19 known vulnerabilities
    -
    62 vulnerable dependency paths
    -
    2321 dependencies
    -
    -
    -
    -
    - -
    -
    -
    -

    Out-of-bounds Write

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - gnupg2/gpgv -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 and gnupg2/gpgv@2.4.4-2ubuntu23.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpgv@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - apt@3.0.0 - - gnupg2/gpgv@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/dirmngr@2.4.4-2ubuntu23.1 - - gnupg2/gpgconf@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg-agent@2.4.4-2ubuntu23.1 - - gnupg2/gpgconf@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg@2.4.4-2ubuntu23.1 - - gnupg2/gpgconf@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/dirmngr@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg-agent@2.4.4-2ubuntu23.1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    In GnuPG before 2.4.9, armor_filter in g10/armor.c has two increments of an index variable where one is intended, leading to an out-of-bounds write for crafted input. (For ExtendedLTS, 2.2.51 and later are fixed versions.)

    -

    Remediation

    -

    Upgrade Ubuntu:25.04 gnupg2 to version 2.4.4-2ubuntu23.2 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - high severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argo-cd/v3 /usr/local/bin/argocd -
      • -
    • - Package Manager: golang -
      • -
    • - Vulnerable module: - - github.com/expr-lang/expr/builtin -
      • - -
    • Introduced through: - - github.com/argoproj/argo-cd/v3@* and github.com/expr-lang/expr/builtin@v1.17.6 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - github.com/argoproj/argo-cd/v3@* - - github.com/expr-lang/expr/builtin@v1.17.6 - - - -
      • -
    - -
    - -
    - -

    Overview

    -

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the flatten, min, max, mean, and median functions when processing deeply nested or cyclic data structures. An attacker can cause the application to crash by supplying maliciously crafted input that triggers unbounded recursion and stack exhaustion.

    -

    Workaround

    -

    This vulnerability can be mitigated by ensuring evaluation environments do not contain cyclic references, validating or sanitizing externally supplied data structures, and wrapping expression evaluation with panic recovery to prevent a full process crash.

    -

    Remediation

    -

    Upgrade github.com/expr-lang/expr/builtin to version 1.17.7 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Directory Traversal

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - tar -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 and tar@1.35+dfsg-3.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - tar@1.35+dfsg-3.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - dpkg@1.22.18ubuntu2.2 - - tar@1.35+dfsg-3.1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 tar.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Directory Traversal

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - pam/libpam0g -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 and pam/libpam0g@1.5.3-7ubuntu4.4 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - util-linux@2.40.2-14ubuntu1.2 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.2 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - pam/libpam-modules-bin@1.5.3-7ubuntu4.4 - - pam/libpam0g@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - pam/libpam-modules-bin@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - pam/libpam-modules-bin@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - pam/libpam-runtime@1.5.3-7ubuntu4.4 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - util-linux@2.40.2-14ubuntu1.2 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.2 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - pam/libpam-modules@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - pam/libpam-runtime@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - util-linux@2.40.2-14ubuntu1.2 - - pam/libpam-runtime@1.5.3-7ubuntu4.4 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.2 - - pam/libpam-runtime@1.5.3-7ubuntu4.4 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 pam.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Encoding or Escaping of Output

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - git/git-man -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - git@1:2.48.1-0ubuntu1.1 - - git/git-man@1:2.48.1-0ubuntu1.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - git@1:2.48.1-0ubuntu1.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - git-lfs@3.6.1-1 - - git@1:2.48.1-0ubuntu1.1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 git.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Algorithmic Complexity

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - expat/libexpat1 -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - git@1:2.48.1-0ubuntu1.1 - - expat/libexpat1@2.7.1-1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 expat.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-11563

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    This vulnerability has not been analyzed by NVD yet.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-13034

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey - with the curl tool,curl should check the public key of the server certificate - to verify the peer.

    -

    This check was skipped in a certain condition that would then make curl allow - the connection without performing the proper check, thus not noticing a - possible impostor. To skip this check, the connection had to be done with QUIC - with ngtcp2 built to use GnuTLS and the user had to explicitly disable the - standard certificate verification.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-56433

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - shadow/login.defs -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 and shadow/login.defs@1:4.16.0-7ubuntu1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - shadow/login.defs@1:4.16.0-7ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - util-linux/login@1:4.16.0-2+really2.40.2-14ubuntu1.2 - - shadow/login.defs@1:4.16.0-7ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - shadow/login.defs@1:4.16.0-7ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - shadow/passwd@1:4.16.0-7ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - openssh/openssh-client@1:9.9p1-3ubuntu3.2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - apt@3.0.0 - - adduser@3.137ubuntu2 - - shadow/passwd@1:4.16.0-7ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 shadow.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Double Free

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - patch -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 and patch@2.7.6-7build3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - patch@2.7.6-7build3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 patch.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Release of Invalid Pointer or Reference

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - patch -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 and patch@2.7.6-7build3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - patch@2.7.6-7build3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 patch.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Information Exposure

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - libgcrypt20 -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 and libgcrypt20@1.11.0-6ubuntu1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/dirmngr@2.4.4-2ubuntu23.1 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg@2.4.4-2ubuntu23.1 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg-agent@2.4.4-2ubuntu23.1 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - apt@3.0.0 - - gnupg2/gpgv@2.4.4-2ubuntu23.1 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg@2.4.4-2ubuntu23.1 - - gnupg2/gpgconf@2.4.4-2ubuntu23.1 - - libgcrypt20@1.11.0-6ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 libgcrypt20.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Out-of-bounds Write

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - gnupg2/gpgv -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 and gnupg2/gpgv@2.4.4-2ubuntu23.1 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpgv@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - apt@3.0.0 - - gnupg2/gpgv@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/dirmngr@2.4.4-2ubuntu23.1 - - gnupg2/gpgconf@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg-agent@2.4.4-2ubuntu23.1 - - gnupg2/gpgconf@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg@2.4.4-2ubuntu23.1 - - gnupg2/gpgconf@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/dirmngr@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg@2.4.4-2ubuntu23.1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - gnupg2/gpg-agent@2.4.4-2ubuntu23.1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 gnupg2.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Allocation of Resources Without Limits or Throttling

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - glibc/libc-bin -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 and glibc/libc-bin@2.41-6ubuntu1.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - glibc/libc-bin@2.41-6ubuntu1.2 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - glibc/libc6@2.41-6ubuntu1.2 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 glibc.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9086

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -
      -
    1. A cookie is set using the secure keyword for https://target
      2. -
    2. curl is redirected to or otherwise made to speak with http://target (same - hostname, but using clear text HTTP) using the same cookie set
      3. -
    3. The same cookie name is set - but with just a slash as path (path=\&#34;/\&#34;,). - Since this site is not secure, the cookie should just be ignored.
      4. -
    4. A bug in the path comparison logic makes curl read outside a heap buffer - boundary
      5. -
    -

    The bug either causes a crash or it potentially makes the comparison come to - the wrong conclusion and lets the clear-text site override the contents of the - secure cookie, contrary to expectations and depending on the memory contents - immediately following the single-byte allocation that holds the path.

    -

    The presumed and correct behavior would be to plainly ignore the second set of - the cookie since it was already set as secure on a secure host so overriding - it on an insecure host should not be okay.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-10148

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    curl's websocket code did not update the 32 bit mask pattern for each new - outgoing frame as the specification says. Instead it used a fixed mask that - persisted and was used throughout the entire connection.

    -

    A predictable mask pattern allows for a malicious server to induce traffic - between the two communicating parties that could be interpreted by an involved - proxy (configured or transparent) as genuine, real, HTTP traffic with content - and thereby poison its cache. That cached poisoned content could then be - served to all users of that proxy.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-14819

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    When doing TLS related transfers with reused easy or multi handles and - altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally - reuse a CA store cached in memory for which the partial chain option was - reversed. Contrary to the user's wishes and expectations. This could make - libcurl find and accept a trust chain that it otherwise would not.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-14524

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3, git@1:2.48.1-0ubuntu1.1 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - git@1:2.48.1-0ubuntu1.1 - - curl/libcurl3t64-gnutls@8.12.1-3ubuntu1 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer - performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, - POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new - target host.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Improper Input Validation

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.3.0-rc3/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:25.04 -
      • -
    • - Vulnerable module: - - coreutils -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 and coreutils@9.5-1ubuntu1.25.04.2 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.3.0-rc3 - - coreutils@9.5-1ubuntu1.25.04.2 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. - See How to fix? for Ubuntu:25.04 relevant fixed versions and status.

    -

    chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:25.04 coreutils.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -
    -
    - - - diff --git a/docs/snyk/v3.3.0-rc3/argocd-iac-install.html b/docs/snyk/v3.3.1/argocd-iac-install.html similarity index 99% rename from docs/snyk/v3.3.0-rc3/argocd-iac-install.html rename to docs/snyk/v3.3.1/argocd-iac-install.html index 6a70b20ae6..b203900a3a 100644 --- a/docs/snyk/v3.3.0-rc3/argocd-iac-install.html +++ b/docs/snyk/v3.3.1/argocd-iac-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    January 18th 2026, 12:30:28 am (UTC+00:00)

    +

    February 22nd 2026, 12:33:46 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v3.3.0-rc3/argocd-iac-namespace-install.html b/docs/snyk/v3.3.1/argocd-iac-namespace-install.html similarity index 99% rename from docs/snyk/v3.3.0-rc3/argocd-iac-namespace-install.html rename to docs/snyk/v3.3.1/argocd-iac-namespace-install.html index 1e32d59006..c4b105355b 100644 --- a/docs/snyk/v3.3.0-rc3/argocd-iac-namespace-install.html +++ b/docs/snyk/v3.3.1/argocd-iac-namespace-install.html @@ -456,7 +456,7 @@

    Snyk test report

    -

    January 18th 2026, 12:30:38 am (UTC+00:00)

    +

    February 22nd 2026, 12:33:57 am (UTC+00:00)

    Scanned the following path: diff --git a/docs/snyk/v3.3.1/argocd-test.html b/docs/snyk/v3.3.1/argocd-test.html new file mode 100644 index 0000000000..4ba8070c1e --- /dev/null +++ b/docs/snyk/v3.3.1/argocd-test.html @@ -0,0 +1,3294 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:31:18 am (UTC+00:00)

    +
    +
    + Scanned the following paths: +
      +
    • /argo-cd/argoproj/argo-cd/v3/go.mod (gomodules)
      • +
    • /argo-cd/argoproj/gitops-engine/gitops-engine/go.mod (gomodules)
      • +
    • /argo-cd/argoproj/argo-cd/get-previous-release/hack/get-previous-release/go.mod (gomodules)
      • +
    • /argo-cd/ui/yarn.lock (yarn)
      • +
    +
    + +
    +
    21 known vulnerabilities
    +
    67 vulnerable dependency paths
    +
    2868 dependencies
    +
    +
    +
    +
    + +
    +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + qs +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, superagent@8.1.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + qs@6.11.0 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + formidable@2.1.2 + + qs@6.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    qs is a querystring parser that supports nesting and arrays, with a depth limit.

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via improper enforcement of the arrayLimit option in bracket notation parsing. An attacker can exhaust server memory and cause application unavailability by submitting a large number of bracket notation parameters - like a[]=1&a[]=2 - in a single HTTP request.

    +

    PoC

    + 
    
+        const qs = require('qs');
+        const attack = 'a[]=' + Array(10000).fill('x').join('&a[]=');
+        const result = qs.parse(attack, { arrayLimit: 100 });
+        console.log(result.a.length);  // Output: 10000 (should be max 100)
+
    +

    Remediation

    +

    Upgrade qs to version 6.14.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + minimatch +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, argo-ui@1.0.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + minimatch@5.1.6 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + @redocly/openapi-core@1.30.0 + + minimatch@5.1.6 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + minimatch@3.1.2 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    minimatch is a minimal matching utility.

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the AST class, caused by catastrophic backtracking when an input string contains many * characters in a row, followed by an unmatched character.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    Upgrade minimatch to version 10.2.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and go.opentelemetry.io/otel/sdk/resource@1.38.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/sdk/resource@1.38.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/sdk/trace@1.38.0 + + go.opentelemetry.io/otel/sdk/resource@1.38.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@1.38.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig@1.38.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace@1.38.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/internal/tracetransform@1.38.0 + + go.opentelemetry.io/otel/sdk/resource@1.38.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@1.38.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc/internal/otlpconfig@1.38.0 + + go.opentelemetry.io/otel/exporters/otlp/otlptrace@1.38.0 + + go.opentelemetry.io/otel/sdk/trace@1.38.0 + + go.opentelemetry.io/otel/sdk/resource@1.38.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Uncaught Exception

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to Uncaught Exception in the numeric entity processing when parsing XML containing out-of-range entity code points. An attacker can cause the application to crash by submitting specially crafted XML input that triggers an uncaught exception.

    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.4 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    XML Entity Expansion

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to XML Entity Expansion in replaceEntitiesValue() when handling excessive DOCTYPE input. An attacker can cause excessive resource consumption and make the application unresponsive by submitting malicious XML input with large text entities referenced multiple times. This is a bypass for Billion Laughs protection in DocTypeReader.js, which prevents excessive referencing within and entity, but doesn't prevent repeated expansion of large entities.

    +

    Workaround

    +

    This vulnerability can be mitigated by disabling DOCTYPE parsing using the processEntities: false option.

    +

    PoC

    + 
    const { XMLParser } = require('fast-xml-parser');
+        
+        const entity = 'A'.repeat(1000);
+        const refs = '&big;'.repeat(100);
+        const xml = `<!DOCTYPE foo [<!ENTITY big "${entity}">]><root>${refs}</root>`;
+        
+        console.time('parse');
+        new XMLParser().parse(xml);
+        console.timeEnd('parse');
+
    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.6 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Incorrect Regular Expression

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + fast-xml-parser +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, redoc@2.4.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + openapi-sampler@1.6.1 + + fast-xml-parser@4.5.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    fast-xml-parser is a Validate XML, Parse XML, Build XML without C/C++ based libraries

    +

    Affected versions of this package are vulnerable to Incorrect Regular Expression in the entity parsing RegEx in DOCTYPE declarations. An attacker can inject arbitrary values that override built-in XML entities by crafting entity names containing ., which is interpreted as a regex wildcard, allowing malicious content to be substituted in place of standard entities when the XML is parsed and subsequently rendered or used in sensitive contexts.

    +

    Remediation

    +

    Upgrade fast-xml-parser to version 5.3.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + qs +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, superagent@8.1.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + qs@6.11.0 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + formidable@2.1.2 + + qs@6.11.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    qs is a querystring parser that supports nesting and arrays, with a depth limit.

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the parseArrayValue function when the comma option is in use. An attacker can exhaust system memory by submitting a parameter containing a large number of comma-separated values, resulting in the allocation of excessively large arrays.

    +

    Note: + This is only exploitable if the comma option is explicitly set to true. arrayLimit is properly enforced for index and bracket notation.

    +

    PoC

    + 
    const qs = require('qs');
+        
+        const payload = 'a=' + ','.repeat(25);  // 26 elements after split (bypasses arrayLimit: 5)
+        const options = { comma: true, arrayLimit: 5, throwOnLimitExceeded: true };
+        
+        try {
+          const result = qs.parse(payload, options);
+          console.log(result.a.length);  // Outputs: 26 (bypass successful)
+        } catch (e) {
+          console.log('Limit enforced:', e.message);  // Not thrown
+        }
+
    +

    Remediation

    +

    Upgrade qs to version 6.14.2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Prototype Pollution

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + lodash-es +
      • + +
    • Introduced through: + + argo-cd-ui@1.0.0 and lodash-es@4.17.21 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + lodash-es@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash-es@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash-es@4.17.21 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties.

    +

    Details

    +

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    +

    There are two main ways in which the pollution of prototypes occurs:

    +
      +

    • Unsafe Object recursive merge

      +
      • +

    • Property definition by path

      +
      • +
    +

    Unsafe Object recursive merge

    +

    The logic of a vulnerable recursive merge function follows the following high-level model:

    + 
    merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
    +
    + +

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    +

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    +

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    +

    Property definition by path

    +

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    +

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    +

    Types of attacks

    +

    There are a few methods by which Prototype Pollution can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    +

    Affected environments

    +

    The following environments are susceptible to a Prototype Pollution attack:

    +
      +

    • Application server

      +
      • +

    • Web server

      +
      • +

    • Web browser

      +
      • +
    +

    How to prevent

    +
      +

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      +
      2. +

    2. Require schema validation of JSON input.

      +
      3. +

    3. Avoid using unsafe recursive merge functions.

      +
      4. +

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      +
      5. +

    5. As a best practice use Map instead of Object.

      +
      6. +
    +

    For more information on this vulnerability type:

    +

    Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    +

    Remediation

    +

    Upgrade lodash-es to version 4.17.23 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Prototype Pollution

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + lodash +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, dagre@0.8.5 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + dagre@0.8.5 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + dagre@0.8.5 + + graphlib@2.1.8 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + react-hot-loader@3.1.3 + + react-proxy@3.0.0-alpha.1 + + lodash@4.17.21 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + react-form@2.16.3 + + redux@3.7.2 + + lodash@4.17.21 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    lodash is a modern JavaScript utility library delivering modularity, performance, & extras.

    +

    Affected versions of this package are vulnerable to Prototype Pollution via the _.unset and _.omit functions. An attacker can delete methods held in properties of global prototypes but cannot overwrite those properties.

    +

    Details

    +

    Prototype Pollution is a vulnerability affecting JavaScript. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. JavaScript allows all Object attributes to be altered, including their magical attributes such as __proto__, constructor and prototype. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. Properties on the Object.prototype are then inherited by all the JavaScript objects through the prototype chain. When that happens, this leads to either denial of service by triggering JavaScript exceptions, or it tampers with the application source code to force the code path that the attacker injects, thereby leading to remote code execution.

    +

    There are two main ways in which the pollution of prototypes occurs:

    +
      +

    • Unsafe Object recursive merge

      +
      • +

    • Property definition by path

      +
      • +
    +

    Unsafe Object recursive merge

    +

    The logic of a vulnerable recursive merge function follows the following high-level model:

    + 
    merge (target, source)
+        
+          foreach property of source
+        
+            if property exists and is an object on both the target and the source
+        
+              merge(target[property], source[property])
+        
+            else
+        
+              target[property] = source[property]
+
    +
    + +

    When the source object contains a property named __proto__ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

    +

    Clone operations are a special sub-class of unsafe recursive merges, which occur when a recursive merge is conducted on an empty object: merge({},source).

    +

    lodash and Hoek are examples of libraries susceptible to recursive merge attacks.

    +

    Property definition by path

    +

    There are a few JavaScript libraries that use an API to define property values on an object based on a given path. The function that is generally affected contains this signature: theFunction(object, path, value)

    +

    If the attacker can control the value of “path”, they can set this value to __proto__.myValue. myValue is then assigned to the prototype of the class of the object.

    +

    Types of attacks

    +

    There are a few methods by which Prototype Pollution can be manipulated:

    + + + + + + + + + + + + + + + + + + + + + + + +
    TypeOriginShort description
    Denial of service (DoS)ClientThis is the most likely attack.
    DoS occurs when Object holds generic functions that are implicitly called for various operations (for example, toString and valueOf).
    The attacker pollutes Object.prototype.someattr and alters its state to an unexpected value such as Int or Object. In this case, the code fails and is likely to cause a denial of service.
    For example: if an attacker pollutes Object.prototype.toString by defining it as an integer, if the codebase at any point was reliant on someobject.toString() it would fail.
    Remote Code ExecutionClientRemote code execution is generally only possible in cases where the codebase evaluates a specific attribute of an object, and then executes that evaluation.
    For example: eval(someobject.someattr). In this case, if the attacker pollutes Object.prototype.someattr they are likely to be able to leverage this in order to execute code.
    Property InjectionClientThe attacker pollutes properties that the codebase relies on for their informative value, including security properties such as cookies or tokens.
    For example: if a codebase checks privileges for someuser.isAdmin, then when the attacker pollutes Object.prototype.isAdmin and sets it to equal true, they can then achieve admin privileges.
    +

    Affected environments

    +

    The following environments are susceptible to a Prototype Pollution attack:

    +
      +

    • Application server

      +
      • +

    • Web server

      +
      • +

    • Web browser

      +
      • +
    +

    How to prevent

    +
      +

    1. Freeze the prototype— use Object.freeze (Object.prototype).

      +
      2. +

    2. Require schema validation of JSON input.

      +
      3. +

    3. Avoid using unsafe recursive merge functions.

      +
      4. +

    4. Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.

      +
      5. +

    5. As a best practice use Map instead of Object.

      +
      6. +
    +

    For more information on this vulnerability type:

    +

    Arteau, Olivier. “JavaScript prototype pollution attack in NodeJS application.” GitHub, 26 May 2018

    +

    Remediation

    +

    Upgrade lodash to version 4.17.23 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Algorithmic Complexity

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/gitops-engine gitops-engine/go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + + github.com/argoproj/gitops-engine@0.0.0, k8s.io/kubectl/pkg/cmd/auth@0.34.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/auth@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/create@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/apply@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/replace@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/util@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/delete@0.34.0 + + k8s.io/kubectl/pkg/util/completion@0.34.0 + + k8s.io/kubectl/pkg/cmd/util@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Infinite loop

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/gitops-engine gitops-engine/go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + + github.com/argoproj/gitops-engine@0.0.0, k8s.io/kubectl/pkg/cmd/auth@0.34.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/auth@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/create@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/apply@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/replace@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/util@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/gitops-engine@0.0.0 + + k8s.io/kubectl/pkg/cmd/delete@0.34.0 + + k8s.io/kubectl/pkg/util/completion@0.34.0 + + k8s.io/kubectl/pkg/cmd/util@0.34.0 + + k8s.io/kubectl/pkg/util/templates@0.34.0 + + k8s.io/kubectl/pkg/util/term@0.34.0 + + k8s.io/client-go/tools/remotecommand@0.34.0 + + k8s.io/client-go/transport/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/httpstream/spdy@0.34.0 + + k8s.io/apimachinery/pkg/util/proxy@0.34.0 + + golang.org/x/net/html@0.44.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff/v3 +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/r3labs/diff/v3@3.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/r3labs/diff/v3@3.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-version +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, code.gitea.io/sdk/gitea@0.22.1 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + code.gitea.io/sdk/gitea@0.22.1 + + github.com/hashicorp/go-version@1.7.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/hashicorp/go-retryablehttp@0.7.8 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@1.8.1 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, github.com/hashicorp/go-retryablehttp@0.7.8 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@1.8.1 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + gitlab.com/gitlab-org/api/client-go@1.8.1 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/cmd@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/api@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/argoproj/notifications-engine/pkg/controller@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/subscriptions@#a23b5827d630 + + github.com/argoproj/notifications-engine/pkg/services@#a23b5827d630 + + github.com/opsgenie/opsgenie-go-sdk-v2/client@1.2.23 + + github.com/hashicorp/go-retryablehttp@0.7.8 + + github.com/hashicorp/go-cleanhttp@0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@0.0.0 and github.com/gosimple/slug@1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/gosimple/slug@1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Validation of Integrity Check Value

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd/argoproj/argo-cd/v3 go.mod +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-git/go-git/v5/storage/filesystem +
      • + +
    • Introduced through: + + + github.com/argoproj/argo-cd/v3@0.0.0, github.com/go-git/go-git/v5@5.14.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5/plumbing/transport/client@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/file@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/server@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@0.0.0 + + github.com/go-git/go-git/v5@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/client@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/file@5.14.0 + + github.com/go-git/go-git/v5/plumbing/transport/server@5.14.0 + + github.com/go-git/go-git/v5/storage/filesystem@5.14.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.

    +

    Workaround

    +

    This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.

    +

    Remediation

    +

    Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + foundation-sites +
      • + +
    • Introduced through: + + argo-cd-ui@1.0.0 and foundation-sites@6.8.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + foundation-sites@6.8.1 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + foundation-sites@6.8.1 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    foundation-sites is a responsive front-end framework

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to inefficient backtracking in the regular expressions used in URL forms.

    +

    PoC

    + 
    https://www.''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
+
    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    There is no fixed version for foundation-sites.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + diff +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, unidiff@1.0.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + unidiff@1.0.2 + + diff@2.2.3 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    diff is a javascript text differencing implementation.

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the parsePatch() and applyPatch() functions if the user input passed without sanitisation. An attacker can cause the process to enter an infinite loop and exhaust system memory by providing a patch with filename headers containing \r, \u2028, or \u2029 characters or having control over patch's patch header for application generated patches.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    Upgrade diff to version 3.5.1, 4.0.4, 5.2.2, 8.0.3 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Insecure Randomness

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + formidable +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, superagent@8.1.2 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + superagent@8.1.2 + + formidable@2.1.2 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Insecure Randomness due to its use of the hexoid() function in the generation of fingerprint IDs.

    +

    Remediation

    +

    Upgrade formidable to version 2.1.3, 3.5.3 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Regular Expression Denial of Service (ReDoS)

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: /argo-cd ui/yarn.lock +
      • +
    • + Package Manager: npm +
      • +
    • + Vulnerable module: + + brace-expansion +
      • + +
    • Introduced through: + + + argo-cd-ui@1.0.0, argo-ui@1.0.0 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + argo-cd-ui@1.0.0 + + argo-ui@1.0.0 + + minimatch@5.1.6 + + brace-expansion@2.0.1 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + redoc@2.4.0 + + @redocly/openapi-core@1.30.0 + + minimatch@5.1.6 + + brace-expansion@2.0.1 + + + +
      • +
    • + Introduced through: + argo-cd-ui@1.0.0 + + minimatch@3.1.2 + + brace-expansion@1.1.11 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    brace-expansion is a Brace expansion as known from sh/bash

    +

    Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the expand() function, which is prone to catastrophic backtracking on very long malicious inputs.

    +

    PoC

    + 
    import index from "./index.js";
+        
+        let str = "{a}" + ",".repeat(100000) + "\u0000";
+        
+        let startTime = performance.now();
+        
+        const result = index(str);
+        
+        let endTime = performance.now();
+        
+        let timeTaken = endTime - startTime;
+        
+        console.log(`匹配耗时: ${timeTaken.toFixed(3)} 毫秒`);
+
    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

    +

    The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

    +

    Let’s take the following regular expression as an example:

    + 
    regex = /A(B|C+)+D/
+
    +

    This regular expression accomplishes the following:

    +
      +
    • A The string must start with the letter 'A'
      • +
    • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
      • +
    • D Finally, we ensure this section of the string ends with a 'D'
      • +
    +

    The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

    +

    It most cases, it doesn't take very long for a regex engine to find a match:

    + 
    $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
+        0.04s user 0.01s system 95% cpu 0.052 total
+        
+        $ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
+        1.79s user 0.02s system 99% cpu 1.812 total
+
    +

    The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

    +

    Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

    +

    Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

    +
      +
    1. CCC
      2. +
    2. CC+C
      3. +
    3. C+CC
      4. +
    4. C+C+C.
      5. +
    +

    The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

    +

    From there, the number of steps the engine must use to validate a string just continues to grow.

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    StringNumber of C'sNumber of steps
    ACCCX338
    ACCCCX471
    ACCCCCX5136
    ACCCCCCCCCCCCCCX1465,553
    +

    By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

    +

    Remediation

    +

    Upgrade brace-expansion to version 1.1.12, 2.0.2, 3.0.1, 4.0.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.3.1/ghcr.io_dexidp_dex_v2.43.0.html b/docs/snyk/v3.3.1/ghcr.io_dexidp_dex_v2.43.0.html new file mode 100644 index 0000000000..0c9b73d77c --- /dev/null +++ b/docs/snyk/v3.3.1/ghcr.io_dexidp_dex_v2.43.0.html @@ -0,0 +1,5010 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:31:30 am (UTC+00:00)

    +
    +
    + Scanned the following paths: +
      +
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex (apk)
      • +
    • ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4//usr/local/bin/gomplate (gomodules)
      • +
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/docker-entrypoint (gomodules)
      • +
    • ghcr.io/dexidp/dex:v2.43.0/dexidp/dex//usr/local/bin/dex (gomodules)
      • +
    +
    + +
    +
    46 known vulnerabilities
    +
    141 vulnerable dependency paths
    +
    1131 dependencies
    +
    +
    +
    +
    + +
    +
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/oauth2/jws +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/oauth2/jws@v0.24.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/oauth2/jws@v0.24.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to improper parsing of malformed tokens which can lead to memory consumption.

    +

    Remediation

    +

    Upgrade golang.org/x/oauth2/jws to version 0.27.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Server-side Request Forgery (SSRF)

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/http/httpproxy +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/net/http/httpproxy@v0.32.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/net/http/httpproxy@v0.32.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/http/httpproxy is a package for HTTP proxy determination based on environment variables, as provided by net/http's ProxyFromEnvironment function

    +

    Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) in proxy.go, because hostname matching against proxy patterns may treat an IPv6 zone ID as a hostname component. An environment variable value like *.example.com could be matched to a request intended for [::1%25.example.com]:80.

    +

    Remediation

    +

    Upgrade golang.org/x/net/http/httpproxy to version 0.36.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Handling of Unexpected Data Type

    +
    + +
    +
    + high severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh/agent +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh/agent@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type when functions including List() and SignWithFlags() process *successAgentMsg. This can be triggered by a malicious agent sending a single 0x06 byte (SSH_AGENT_SUCCESS), which is unmarshalled into a *successAgentMsg, causing a panic and client crash.

    +

    Details

    +

    Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

    +

    Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

    +

    One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

    +

    When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

    +

    Two common types of DoS vulnerabilities:

    +
      +

    • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

      +
      • +

    • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

      +
      • +
    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh/agent to version 0.43.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in handshakeTransport in handshake.go. An internal queue gets populated with received packets during the key exchange process, while waiting for the client to send a SSH_MSG_KEXINIT. An attacker can cause the server to become unresponsive to new connections by delaying or withholding this message, or by causing the queue to consume all available memory.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh to version 0.35.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Untrusted Search Path

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + go.opentelemetry.io/otel/sdk/resource +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and go.opentelemetry.io/otel/sdk/resource@v1.33.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + go.opentelemetry.io/otel/sdk/resource@v1.33.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

    +

    Note: This vulnerability is only exploitable on MacOS/Darwin systems.

    +

    Remediation

    +

    Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Asymmetric Resource Consumption (Amplification)

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/golang-jwt/jwt/v5 +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/golang-jwt/jwt/v5@v5.2.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/golang-jwt/jwt/v5@v5.2.1 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Asymmetric Resource Consumption (Amplification) through the parse.ParseUnverified function. An attacker can cause excessive memory allocation by sending a crafted request with many period characters in the Authorization header.

    +

    Remediation

    +

    Upgrade github.com/golang-jwt/jwt/v5 to version 5.2.2 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Inefficient Algorithmic Complexity

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity via the html.Parse function due to quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Infinite loop

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/net/html +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and golang.org/x/net/html@v0.40.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + golang.org/x/net/html@v0.40.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/net/html is a package that implements an HTML5-compliant tokenizer and parser.

    +

    Affected versions of this package are vulnerable to Infinite loop via the html.Parse function. An attacker can cause resource exhaustion and disrupt service availability by submitting specially crafted HTML input that triggers an infinite parsing loop.

    +

    Remediation

    +

    Upgrade golang.org/x/net/html to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Out-of-bounds Read

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh/agent +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh/agent@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh/agent@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Out-of-bounds Read via the SSH Agent servers. An attacker can cause a panic and disrupt service availability by sending a specially crafted, malformed message that triggers an out-of-bounds read.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh/agent to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + golang.org/x/crypto/ssh +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and golang.org/x/crypto/ssh@v0.31.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + golang.org/x/crypto/ssh@v0.31.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    golang.org/x/crypto/ssh is a SSH client and server

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the SSH servers. An attacker can exhaust system memory resources by sending GSSAPI authentication requests with an excessive number of mechanisms specified.

    +

    Remediation

    +

    Upgrade golang.org/x/crypto/ssh to version 0.45.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/vault/api +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/vault/api@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/serf/coordinate +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/serf/coordinate@v0.10.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/serf/coordinate@v0.10.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/hcl/v2 +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and github.com/hashicorp/hcl/v2@v2.13.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/ext/customdecode@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/ext/tryfunc@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/gohcl@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclparse@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclsyntax@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/hclwrite@v2.13.0 + + + +
      • +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/hashicorp/hcl/v2/json@v2.13.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/hcl +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/hcl@v1.0.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/hcl@v1.0.0 + + + +
      • +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/hcl/hcl/token@v1.0.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/golang-lru/simplelru +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/golang-lru/simplelru@v1.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/golang-lru/simplelru@v1.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-uuid +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-uuid@v1.0.3 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-uuid@v1.0.3 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-sockaddr +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-sockaddr@v1.0.7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-sockaddr@v1.0.7 + + + +
      • +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-sockaddr/template@v1.0.7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/strutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/strutil@v0.1.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/parseutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/parseutil@v0.1.8 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-secure-stdlib/awsutil +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-secure-stdlib/awsutil@v0.3.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-rootcerts +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-rootcerts@v1.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-rootcerts@v1.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-retryablehttp@v0.7.7 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-retryablehttp@v0.7.7 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-multierror +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-multierror@v1.1.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-immutable-radix +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-immutable-radix@v1.3.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-immutable-radix@v1.3.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/go-cleanhttp@v0.5.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/go-cleanhttp@v0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/errwrap +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/errwrap@v1.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/errwrap@v1.1.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/gosimple/slug@v1.14.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/gosimple/slug@v1.14.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/go-sql-driver/mysql +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and github.com/go-sql-driver/mysql@v1.9.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + github.com/go-sql-driver/mysql@v1.9.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Allocation of Resources Without Limits or Throttling

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-jose/go-jose/v4 +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/go-jose/go-jose/v4@v4.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/go-jose/go-jose/v4@v4.0.2 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the use of strings.Split to split JWT tokens. An attacker can cause memory exhaustion and service disruption by sending numerous malformed tokens with a large number of . characters.

    +

    Workaround

    +

    This vulnerability can be mitigated by pre-validating that payloads passed to Go JOSE do not contain an excessive number of . characters.

    +

    Remediation

    +

    Upgrade github.com/go-jose/go-jose/v4 to version 4.0.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Initialization

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/dexidp/dex /usr/local/bin/dex +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + filippo.io/edwards25519 +
      • + +
    • Introduced through: + + github.com/dexidp/dex@* and filippo.io/edwards25519@v1.1.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/dexidp/dex@* + + filippo.io/edwards25519@v1.1.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Initialization via the MultiScalarMult function when the receiver is not properly initialized. An attacker can cause invalid results or undefined behavior by invoking this function on an uninitialized or non-identity receiver.

    +

    Remediation

    +

    Upgrade filippo.io/edwards25519 to version 1.1.1 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9230

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application trying to decrypt CMS messages encrypted using + password based encryption can trigger an out-of-bounds read and write.

    +

    Impact summary: This out-of-bounds read may trigger a crash which leads to + Denial of Service for an application. The out-of-bounds write can cause + a memory corruption which can have various consequences including + a Denial of Service or Execution of attacker-supplied code.

    +

    Although the consequences of a successful exploit of this vulnerability + could be severe, the probability that the attacker would be able to + perform it is low. Besides, password based (PWRI) encryption support in CMS + messages is very rarely used. For that reason the issue was assessed as + Moderate severity according to our Security Policy.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9231

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A timing side-channel which could potentially allow remote + recovery of the private key exists in the SM2 algorithm implementation on 64 bit + ARM platforms.

    +

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit + ARM platforms could allow recovering the private key by an attacker..

    +

    While remote key recovery over a network was not attempted by the reporter, + timing measurements revealed a timing signal which may allow such an attack.

    +

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so + this CVE is not relevant in most TLS contexts. However, given that it is + possible to add support for such certificates via a custom provider, coupled + with the fact that in such a custom provider context the private key may be + recoverable via remote timing measurements, we consider this to be a Moderate + severity issue.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as SM2 is not an approved algorithm.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9232

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application using the OpenSSL HTTP client API functions may + trigger an out-of-bounds read if the 'no_proxy' environment variable is set and + the host portion of the authority component of the HTTP URL is an IPv6 address.

    +

    Impact summary: An out-of-bounds read can trigger a crash which leads to + Denial of Service for an application.

    +

    The OpenSSL HTTP client API functions can be used directly by applications + but they are also used by the OCSP client functions and CMP (Certificate + Management Protocol) client implementation in OpenSSL. However the URLs used + by these implementations are unlikely to be controlled by an attacker.

    +

    In this vulnerable code the out of bounds read can only trigger a crash. + Furthermore the vulnerability requires an attacker-controlled URL to be + passed from an application to the OpenSSL function and the user has to have + a 'no_proxy' environment variable set. For the aforementioned reasons the + issue was assessed as Low severity.

    +

    The vulnerable code was introduced in the following patch releases: + 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the HTTP client implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15468

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

    +

    Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

    +

    Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

    +

    As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

    +

    The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-66199

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

    +

    Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

    +

    In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

    +

    This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

    +

    Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Synchronous Access of Remote Resource without Timeout

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: ghcr.io/dexidp/dex:v2.43.0/hairyhenderson/gomplate/v4 /usr/local/bin/gomplate +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/hashicorp/vault/api +
      • + +
    • Introduced through: + + github.com/hairyhenderson/gomplate/v4@* and github.com/hashicorp/vault/api@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/hairyhenderson/gomplate/v4@* + + github.com/hashicorp/vault/api@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Synchronous Access of Remote Resource without Timeout via the rekey and recovery key operations. An attacker can disrupt service availability by triggering uncontrolled cancellation actions during these processes, which can lead to denial of service.

    +

    Remediation

    +

    Upgrade github.com/hashicorp/vault/api to version 1.20.0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-58251

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-46394

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|ghcr.io/dexidp/dex@v2.43.0 and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|ghcr.io/dexidp/dex@v2.43.0 + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.3.1/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html b/docs/snyk/v3.3.1/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html new file mode 100644 index 0000000000..00aa2c6b3b --- /dev/null +++ b/docs/snyk/v3.3.1/public.ecr.aws_docker_library_haproxy_3.0.8-alpine.html @@ -0,0 +1,3286 @@ + + + + + + + + + Snyk test report + + + + + + + + + +
    +
    +
    +
    + + + Snyk - Open Source Security + + + + + + + +
    +

    Snyk test report

    + +

    February 22nd 2026, 12:31:36 am (UTC+00:00)

    +
    +
    + Scanned the following path: +
      +
    • public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy (apk)
      • +
    +
    + +
    +
    15 known vulnerabilities
    +
    142 vulnerable dependency paths
    +
    19 dependencies
    +
    +
    +
    +
    +
    + + + + + + + +
    Project docker-image|public.ecr.aws/docker/library/haproxy
    Path public.ecr.aws/docker/library/haproxy:3.0.8-alpine/docker/library/haproxy
    Package Manager apk
    +
    +
    +
    +
    +

    CVE-2025-69421

    +
    + +
    +
    + high severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer + dereference in the PKCS12_item_decrypt_d2i_ex() function.

    +

    Impact summary: A NULL pointer dereference can trigger a crash which leads to + Denial of Service for an application processing PKCS#12 files.

    +

    The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct + parameter is NULL before dereferencing it. When called from + PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can + be NULL, causing a crash. The vulnerability is limited to Denial of Service + and cannot be escalated to achieve code execution or memory disclosure.

    +

    Exploiting this issue requires an attacker to provide a malformed PKCS#12 file + to an application that processes it. For that reason the issue was assessed as + Low severity according to our Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9230

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application trying to decrypt CMS messages encrypted using + password based encryption can trigger an out-of-bounds read and write.

    +

    Impact summary: This out-of-bounds read may trigger a crash which leads to + Denial of Service for an application. The out-of-bounds write can cause + a memory corruption which can have various consequences including + a Denial of Service or Execution of attacker-supplied code.

    +

    Although the consequences of a successful exploit of this vulnerability + could be severe, the probability that the attacker would be able to + perform it is low. Besides, password based (PWRI) encryption support in CMS + messages is very rarely used. For that reason the issue was assessed as + Moderate severity according to our Security Policy.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9231

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A timing side-channel which could potentially allow remote + recovery of the private key exists in the SM2 algorithm implementation on 64 bit + ARM platforms.

    +

    Impact summary: A timing side-channel in SM2 signature computations on 64 bit + ARM platforms could allow recovering the private key by an attacker..

    +

    While remote key recovery over a network was not attempted by the reporter, + timing measurements revealed a timing signal which may allow such an attack.

    +

    OpenSSL does not directly support certificates with SM2 keys in TLS, and so + this CVE is not relevant in most TLS contexts. However, given that it is + possible to add support for such certificates via a custom provider, coupled + with the fact that in such a custom provider context the private key may be + recoverable via remote timing measurements, we consider this to be a Moderate + severity issue.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as SM2 is not an approved algorithm.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-9232

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An application using the OpenSSL HTTP client API functions may + trigger an out-of-bounds read if the 'no_proxy' environment variable is set and + the host portion of the authority component of the HTTP URL is an IPv6 address.

    +

    Impact summary: An out-of-bounds read can trigger a crash which leads to + Denial of Service for an application.

    +

    The OpenSSL HTTP client API functions can be used directly by applications + but they are also used by the OCSP client functions and CMP (Certificate + Management Protocol) client implementation in OpenSSL. However the URLs used + by these implementations are unlikely to be controlled by an attacker.

    +

    In this vulnerable code the out of bounds read can only trigger a crash. + Furthermore the vulnerability requires an attacker-controlled URL to be + passed from an application to the OpenSSL function and the user has to have + a 'no_proxy' environment variable set. For the aforementioned reasons the + issue was assessed as Low severity.

    +

    The vulnerable code was introduced in the following patch releases: + 3.0.16, 3.1.8, 3.2.4, 3.3.3, 3.4.0 and 3.5.0.

    +

    The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this + issue, as the HTTP client implementation is outside the OpenSSL FIPS module + boundary.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.5-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69419

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously + crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing + non-ASCII BMP code point can trigger a one byte write before the allocated + buffer.

    +

    Impact summary: The out-of-bounds write can cause a memory corruption + which can have various consequences including a Denial of Service.

    +

    The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 + BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, + the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 + source byte count as the destination buffer capacity to UTF8_putc(). For BMP + code points above U+07FF, UTF-8 requires three bytes, but the forwarded + capacity can be just two bytes. UTF8_putc() then returns -1, and this negative + value is added to the output length without validation, causing the + length to become negative. The subsequent trailing NUL byte is then written + at a negative offset, causing write outside of heap allocated buffer.

    +

    The vulnerability is reachable via the public PKCS12_get_friendlyname() API + when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a + different code path that avoids this issue, PKCS12_get_friendlyname() directly + invokes the vulnerable function. Exploitation requires an attacker to provide + a malicious PKCS#12 file to be parsed by the application and the attacker + can just trigger a one zero byte write before the allocated buffer. + For that reason the issue was assessed as Low severity according to our + Security Policy.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69418

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15468

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: If an application using the SSL_CIPHER_find() function in + a QUIC protocol client or server receives an unknown cipher suite from + the peer, a NULL dereference occurs.

    +

    Impact summary: A NULL pointer dereference leads to abnormal termination of + the running process causing Denial of Service.

    +

    Some applications call SSL_CIPHER_find() from the client_hello_cb callback + on the cipher ID received from the peer. If this is done with an SSL object + implementing the QUIC protocol, NULL pointer dereference will happen if + the examined cipher ID is unknown or unsupported.

    +

    As it is not very common to call this function in applications using the QUIC + protocol and the worst outcome is Denial of Service, the issue was assessed + as Low severity.

    +

    The vulnerable code was introduced in the 3.2 version with the addition + of the QUIC protocol support.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the QUIC implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-69420

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the TimeStamp Response + verification code where an ASN1_TYPE union member is accessed without first + validating the type, causing an invalid or NULL pointer dereference when + processing a malformed TimeStamp Response file.

    +

    Impact summary: An application calling TS_RESP_verify_response() with a + malformed TimeStamp Response can be caused to dereference an invalid or + NULL pointer when reading, resulting in a Denial of Service.

    +

    The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() + access the signing cert attribute value without validating its type. + When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory + through the ASN1_TYPE union, causing a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + TimeStamp Response to an application that verifies timestamp responses. The + TimeStamp protocol (RFC 3161) is not widely used and the impact of the + exploit is just a Denial of Service. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the TimeStamp Response implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-66199

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A TLS 1.3 connection using certificate compression can be + forced to allocate a large buffer before decompression without checking + against the configured certificate size limit.

    +

    Impact summary: An attacker can cause per-connection memory allocations of + up to approximately 22 MiB and extra CPU work, potentially leading to + service degradation or resource exhaustion (Denial of Service).

    +

    In affected configurations, the peer-supplied uncompressed certificate + length from a CompressedCertificate message is used to grow a heap buffer + prior to decompression. This length is not bounded by the max_cert_list + setting, which otherwise constrains certificate message sizes. An attacker + can exploit this to cause large per-connection allocations followed by + handshake failure. No memory corruption or information disclosure occurs.

    +

    This issue only affects builds where TLS 1.3 certificate compression is + compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression + algorithm (brotli, zlib, or zstd) is available, and where the compression + extension is negotiated. Both clients receiving a server CompressedCertificate + and servers in mutual TLS scenarios receiving a client CompressedCertificate + are affected. Servers that do not request client certificates are not + vulnerable to client-initiated attacks.

    +

    Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION + to disable receiving compressed certificates.

    +

    The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, + as the TLS implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue.

    +

    OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-15467

    +
    + +
    +
    + low severity +
    +
    + Exploit: Proof of Concept +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Parsing CMS AuthEnvelopedData message with maliciously + crafted AEAD parameters can trigger a stack buffer overflow.

    +

    Impact summary: A stack buffer overflow may lead to a crash, causing Denial + of Service, or potentially remote code execution.

    +

    When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as + AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is + copied into a fixed-size stack buffer without verifying that its length fits + the destination. An attacker can supply a crafted CMS message with an + oversized IV, causing a stack-based out-of-bounds write before any + authentication or tag verification occurs.

    +

    Applications and services that parse untrusted CMS or PKCS#7 content using + AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. + Because the overflow occurs prior to authentication, no valid key material + is required to trigger it. While exploitability to remote code execution + depends on platform and toolchain mitigations, the stack-based write + primitive represents a severe risk.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this + issue, as the CMS implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue.

    +

    OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22795

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: An invalid or NULL pointer dereference can happen in + an application processing a malformed PKCS#12 file.

    +

    Impact summary: An application processing a malformed PKCS#12 file can be + caused to dereference an invalid or NULL pointer on memory read, resulting + in a Denial of Service.

    +

    A type confusion vulnerability exists in PKCS#12 parsing code where + an ASN1_TYPE union member is accessed without first validating the type, + causing an invalid pointer read.

    +

    The location is constrained to a 1-byte address space, meaning any + attempted pointer manipulation can only target addresses between 0x00 and 0xFF. + This range corresponds to the zero page, which is unmapped on most modern + operating systems and will reliably result in a crash, leading only to a + Denial of Service. Exploiting this issue also requires a user or application + to process a maliciously crafted PKCS#12 file. It is uncommon to accept + untrusted PKCS#12 files in applications as they are usually used to store + private keys which are trusted by definition. For these reasons, the issue + was assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS12 implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.

    +

    OpenSSL 1.0.2 is not affected by this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2026-22796

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: A type confusion vulnerability exists in the signature + verification of signed PKCS#7 data where an ASN1_TYPE union member is + accessed without first validating the type, causing an invalid or NULL + pointer dereference when processing malformed PKCS#7 data.

    +

    Impact summary: An application performing signature verification of PKCS#7 + data or calling directly the PKCS7_digest_from_attributes() function can be + caused to dereference an invalid or NULL pointer when reading, resulting in + a Denial of Service.

    +

    The function PKCS7_digest_from_attributes() accesses the message digest attribute + value without validating its type. When the type is not V_ASN1_OCTET_STRING, + this results in accessing invalid memory through the ASN1_TYPE union, causing + a crash.

    +

    Exploiting this vulnerability requires an attacker to provide a malformed + signed PKCS#7 to an application that verifies it. The impact of the + exploit is just a Denial of Service, the PKCS7 API is legacy and applications + should be using the CMS API instead. For these reasons the issue was + assessed as Low severity.

    +

    The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module + boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-68160

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + openssl/libcrypto3 +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and openssl/libcrypto3@3.3.3-r0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + openssl/libcrypto3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + .haproxy-rundeps@20250214.191219 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + apk-tools/apk-tools@2.14.6-r3 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + openssl/libssl3@3.3.3-r0 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    Issue summary: Writing large, newline-free data into a BIO chain using the + line-buffering filter where the next BIO performs short writes can trigger + a heap-based out-of-bounds write.

    +

    Impact summary: This out-of-bounds write can cause memory corruption which + typically results in a crash, leading to Denial of Service for an application.

    +

    The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in + TLS/SSL data paths. In OpenSSL command-line applications, it is typically + only pushed onto stdout/stderr on VMS systems. Third-party applications that + explicitly use this filter with a BIO chain that can short-write and that + write large, newline-free data influenced by an attacker would be affected. + However, the circumstances where this could happen are unlikely to be under + attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated + data controlled by an attacker. For that reason the issue was assessed as + Low severity.

    +

    The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, + as the BIO implementation is outside the OpenSSL FIPS module boundary.

    +

    OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue.

    +

    Remediation

    +

    Upgrade Alpine:3.21 openssl to version 3.3.6-r0 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2024-58251

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-46394

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Package Manager: alpine:3.21 +
      • +
    • + Vulnerable module: + + busybox/busybox +
      • + +
    • Introduced through: + + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine and busybox/busybox@1.37.0-r12 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + busybox/busybox@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + alpine-baselayout/alpine-baselayout@3.6.8-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + ca-certificates/ca-certificates@20241121-r1 + + busybox/busybox-binsh@1.37.0-r12 + + + +
      • +
    • + Introduced through: + docker-image|public.ecr.aws/docker/library/haproxy@3.0.8-alpine + + busybox/ssl_client@1.37.0-r12 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. + See How to fix? for Alpine:3.21 relevant fixed versions and status.

    +

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    +

    Remediation

    +

    Upgrade Alpine:3.21 busybox to version 1.37.0-r14 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +
    +
    + + + diff --git a/docs/snyk/v3.3.0-rc3/public.ecr.aws_docker_library_redis_8.2.3-alpine.html b/docs/snyk/v3.3.1/public.ecr.aws_docker_library_redis_8.2.3-alpine.html similarity index 52% rename from docs/snyk/v3.3.0-rc3/public.ecr.aws_docker_library_redis_8.2.3-alpine.html rename to docs/snyk/v3.3.1/public.ecr.aws_docker_library_redis_8.2.3-alpine.html index af53d047cc..28fda98099 100644 --- a/docs/snyk/v3.3.0-rc3/public.ecr.aws_docker_library_redis_8.2.3-alpine.html +++ b/docs/snyk/v3.3.1/public.ecr.aws_docker_library_redis_8.2.3-alpine.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -492,7 +492,7 @@

    Snyk test report

    -

    January 18th 2026, 12:28:25 am (UTC+00:00)

    +

    February 22nd 2026, 12:31:42 am (UTC+00:00)

    Scanned the following path: @@ -502,8 +502,8 @@
    -
    2 known vulnerabilities
    -
    10 vulnerable dependency paths
    +
    0 known vulnerabilities
    +
    0 vulnerable dependency paths
    22 dependencies
    @@ -520,241 +520,7 @@
    -
    -
    -

    CVE-2025-46394

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.22 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine and busybox/busybox@1.37.0-r19 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/ssl_client@1.37.0-r19 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.22 relevant fixed versions and status.

    -

    In tar in BusyBox through 1.37.0, a TAR archive can have filenames hidden from a listing through the use of terminal escape sequences.

    -

    Remediation

    -

    Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2024-58251

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Package Manager: alpine:3.22 -
      • -
    • - Vulnerable module: - - busybox/busybox -
      • - -
    • Introduced through: - - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine and busybox/busybox@1.37.0-r19 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - busybox/busybox@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - alpine-baselayout/alpine-baselayout@3.7.0-r0 - - busybox/busybox-binsh@1.37.0-r19 - - - -
      • -
    • - Introduced through: - docker-image|public.ecr.aws/docker/library/redis@8.2.3-alpine - - busybox/ssl_client@1.37.0-r19 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream busybox package and not the busybox package as distributed by Alpine. - See How to fix? for Alpine:3.22 relevant fixed versions and status.

    -

    In netstat in BusyBox through 1.37.0, local users can launch of network application with an argv[0] containing an ANSI terminal escape sequence, leading to a denial of service (terminal locked up) when netstat is used by a victim.

    -

    Remediation

    -

    Upgrade Alpine:3.22 busybox to version 1.37.0-r20 or higher.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    + No known vulnerabilities detected.
    diff --git a/docs/snyk/v3.1.11/quay.io_argoproj_argocd_v3.1.11.html b/docs/snyk/v3.3.1/quay.io_argoproj_argocd_v3.3.1.html similarity index 75% rename from docs/snyk/v3.1.11/quay.io_argoproj_argocd_v3.1.11.html rename to docs/snyk/v3.3.1/quay.io_argoproj_argocd_v3.3.1.html index 29fe17d2c8..9287ed95e7 100644 --- a/docs/snyk/v3.1.11/quay.io_argoproj_argocd_v3.1.11.html +++ b/docs/snyk/v3.3.1/quay.io_argoproj_argocd_v3.3.1.html @@ -7,7 +7,7 @@ Snyk test report - + @@ -492,23 +492,23 @@

    Snyk test report

    -

    January 18th 2026, 12:34:18 am (UTC+00:00)

    +

    February 22nd 2026, 12:32:02 am (UTC+00:00)

    Scanned the following paths:
      -
    • quay.io/argoproj/argocd:v3.1.11/argoproj/argocd/Dockerfile (deb)
      • -
    • quay.io/argoproj/argocd:v3.1.11/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.1.11//usr/local/bin/kustomize (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.1.11/helm/v3//usr/local/bin/helm (gomodules)
      • -
    • quay.io/argoproj/argocd:v3.1.11/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
      • +
    • quay.io/argoproj/argocd:v3.3.1/argoproj/argocd/Dockerfile (deb)
      • +
    • quay.io/argoproj/argocd:v3.3.1/argoproj/argo-cd/v3//usr/local/bin/argocd (gomodules)
      • +
    • quay.io/argoproj/argocd:v3.3.1//usr/local/bin/kustomize (gomodules)
      • +
    • quay.io/argoproj/argocd:v3.3.1/helm/v3//usr/local/bin/helm (gomodules)
      • +
    • quay.io/argoproj/argocd:v3.3.1/git-lfs/git-lfs//usr/bin/git-lfs (gomodules)
    -
    22 known vulnerabilities
    -
    73 vulnerable dependency paths
    -
    2320 dependencies
    +
    27 known vulnerabilities
    +
    71 vulnerable dependency paths
    +
    2323 dependencies
    @@ -516,13 +516,13 @@
    -
    -

    Directory Traversal

    +
    +

    Untrusted Search Path

    -
    - medium severity +
    + high severity
    Exploit: Not Defined @@ -533,20 +533,20 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argo-cd/v3 /usr/local/bin/argocd
    • - Package Manager: ubuntu:24.04 + Package Manager: golang
    • Vulnerable module: - tar + go.opentelemetry.io/otel/sdk/resource
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 and tar@1.35+dfsg-3build1 + github.com/argoproj/argo-cd/v3@* and go.opentelemetry.io/otel/sdk/resource@v1.38.0
    @@ -559,22 +559,9 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + github.com/argoproj/argo-cd/v3@* - tar@1.35+dfsg-3build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - dash@0.5.12-6ubuntu5 - - dpkg@1.22.6ubuntu6.5 - - tar@1.35+dfsg-3build1 + go.opentelemetry.io/otel/sdk/resource@v1.38.0 @@ -585,27 +572,20 @@
      -

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      -

      GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

      +

      Overview

      +

      Affected versions of this package are vulnerable to Untrusted Search Path in resource detection code which executes ioreg, when the PATH environment variable is modified to include a malicious executable. An attacker can execute arbitrary code within the context of the application by placing a malicious binary earlier in the search path.

      +

      Note: This vulnerability is only exploitable on MacOS/Darwin systems.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 tar.

      +

      Upgrade go.opentelemetry.io/otel/sdk/resource to version 1.40.0 or higher.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

    @@ -626,20 +606,20 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: - pam/libpam0g + tar
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 and pam/libpam0g@1.5.3-5ubuntu5.5 + docker-image|quay.io/argoproj/argocd@v3.3.1 and tar@1.35+dfsg-3.1build1
    @@ -652,174 +632,287 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - pam/libpam0g@1.5.3-5ubuntu5.5 + tar@1.35+dfsg-3.1build1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - shadow/login@1:4.13+dfsg1-4ubuntu3.2 + dpkg@1.22.21ubuntu3.1 - pam/libpam0g@1.5.3-5ubuntu5.5 + tar@1.35+dfsg-3.1build1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream tar package and not the tar package as distributed by Ubuntu. + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

    +

    GNU Tar through 1.35 allows file overwrite via directory traversal in crafted TAR archives, with a certain two-step process. First, the victim must extract an archive that contains a ../ symlink to a critical directory. Second, the victim must extract an archive that contains a critical file, specified via a relative pathname that begins with the symlink name and ends with that critical file's name. Here, the extraction follows the symlink and overwrites the critical file. This bypasses the protection mechanism of "Member name contains '..'" that would occur for a single TAR archive that attempted to specify the critical file via a ../ approach. For example, the first archive can contain "x -> ../../../../../home/victim/.ssh" and the second archive can contain x/authorized_keys. This can affect server applications that automatically extract any number of user-supplied TAR archives, and were relying on the blocking of traversal. This can also affect software installation processes in which "tar xf" is run more than once (e.g., when installing a package can automatically install two dependencies that are set up as untrusted tarballs instead of official packages). NOTE: the official GNU Tar manual has an otherwise-empty directory for each "tar xf" in its Security Rules of Thumb; however, third-party advice leads users to run "tar xf" more than once into the same directory.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:25.10 tar.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Directory Traversal

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:25.10 +
      • +
    • + Vulnerable module: + + pam/libpam0g +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.3.1 and pam/libpam0g@1.7.0-5ubuntu2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + pam/libpam0g@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - util-linux@2.39.3-9ubuntu6.4 + util-linux@2.41-4ubuntu4.1 - pam/libpam0g@1.5.3-5ubuntu5.5 + pam/libpam0g@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - apt@2.8.3 + util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.1 - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam0g@1.5.3-5ubuntu5.5 + pam/libpam0g@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - apt@2.8.3 + apt@3.1.6ubuntu2 - adduser@3.137ubuntu1 + adduser@3.152ubuntu1 - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + shadow/passwd@1:4.17.4-2ubuntu2 - pam/libpam-modules@1.5.3-5ubuntu5.5 - - pam/libpam0g@1.5.3-5ubuntu5.5 + pam/libpam0g@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - apt@2.8.3 + apt@3.1.6ubuntu2 - adduser@3.137ubuntu1 + adduser@3.152ubuntu1 - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + shadow/passwd@1:4.17.4-2ubuntu2 - pam/libpam-modules@1.5.3-5ubuntu5.5 + pam/libpam-modules@1.7.0-5ubuntu2 - pam/libpam-modules-bin@1.5.3-5ubuntu5.5 - - pam/libpam0g@1.5.3-5ubuntu5.5 + pam/libpam0g@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - pam/libpam-modules-bin@1.5.3-5ubuntu5.5 + apt@3.1.6ubuntu2 + + adduser@3.152ubuntu1 + + shadow/passwd@1:4.17.4-2ubuntu2 + + pam/libpam-modules@1.7.0-5ubuntu2 + + pam/libpam-modules-bin@1.7.0-5ubuntu2 + + pam/libpam0g@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - apt@2.8.3 - - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam-modules@1.5.3-5ubuntu5.5 - - pam/libpam-modules-bin@1.5.3-5ubuntu5.5 + pam/libpam-modules-bin@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - pam/libpam-modules@1.5.3-5ubuntu5.5 + apt@3.1.6ubuntu2 + + adduser@3.152ubuntu1 + + shadow/passwd@1:4.17.4-2ubuntu2 + + pam/libpam-modules@1.7.0-5ubuntu2 + + pam/libpam-modules-bin@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - pam/libpam-runtime@1.5.3-5ubuntu5.5 - - pam/libpam-modules@1.5.3-5ubuntu5.5 + pam/libpam-modules@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - shadow/login@1:4.13+dfsg1-4ubuntu3.2 + pam/libpam-runtime@1.7.0-5ubuntu2 - pam/libpam-modules@1.5.3-5ubuntu5.5 + pam/libpam-modules@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - apt@2.8.3 + util-linux@2.41-4ubuntu4.1 - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam-modules@1.5.3-5ubuntu5.5 + pam/libpam-modules@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - pam/libpam-runtime@1.5.3-5ubuntu5.5 + util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.1 + + pam/libpam-modules@1.7.0-5ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - shadow/login@1:4.13+dfsg1-4ubuntu3.2 + apt@3.1.6ubuntu2 - pam/libpam-runtime@1.5.3-5ubuntu5.5 + adduser@3.152ubuntu1 + + shadow/passwd@1:4.17.4-2ubuntu2 + + pam/libpam-modules@1.7.0-5ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + pam/libpam-runtime@1.7.0-5ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + util-linux@2.41-4ubuntu4.1 + + pam/libpam-runtime@1.7.0-5ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.1 + + pam/libpam-runtime@1.7.0-5ubuntu2 @@ -832,10 +925,10 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream pam package and not the pam package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      A flaw was found in linux-pam. The pam_namespace module may improperly handle user-controlled paths, allowing local users to exploit symlink attacks and race conditions to elevate their privileges to root. This CVE provides a "complete" fix for CVE-2025-6020.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 pam.

      +

      There is no fixed version for Ubuntu:25.10 pam.

      References

    @@ -884,10 +977,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -897,7 +990,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 and gnupg2/gpgv@2.4.4-2ubuntu17.4 + docker-image|quay.io/argoproj/argocd@v3.3.1 and gnupg2/gpgv@2.4.8-2ubuntu2.1
    @@ -910,80 +1003,80 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpgv@2.4.4-2ubuntu17.4 + gnupg2/gpgv@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - apt@2.8.3 + apt@3.1.6ubuntu2 - gnupg2/gpgv@2.4.4-2ubuntu17.4 + gnupg2/gpgv@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/dirmngr@2.4.4-2ubuntu17.4 + gnupg2/dirmngr@2.4.8-2ubuntu2.1 - gnupg2/gpgconf@2.4.4-2ubuntu17.4 + gnupg2/gpgconf@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpg-agent@2.4.4-2ubuntu17.4 + gnupg2/gpg-agent@2.4.8-2ubuntu2.1 - gnupg2/gpgconf@2.4.4-2ubuntu17.4 + gnupg2/gpgconf@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpg@2.4.4-2ubuntu17.4 + gnupg2/gpg@2.4.8-2ubuntu2.1 - gnupg2/gpgconf@2.4.4-2ubuntu17.4 + gnupg2/gpgconf@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/dirmngr@2.4.4-2ubuntu17.4 + gnupg2/dirmngr@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpg@2.4.4-2ubuntu17.4 + gnupg2/gpg@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpg-agent@2.4.4-2ubuntu17.4 + gnupg2/gpg-agent@2.4.8-2ubuntu2.1 @@ -996,10 +1089,10 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      In GnuPG through 2.4.8, if a signed message has \f at the end of a plaintext line, an adversary can construct a modified message that places additional text after the signed material, such that signature verification of the modified message succeeds (although an "invalid armor" message is printed during verification). This is related to use of \f as a marker to denote truncation of a long plaintext line.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 gnupg2.

      +

      There is no fixed version for Ubuntu:25.10 gnupg2.

      References

    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/r3labs/diff/v3 +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/r3labs/diff/v3@v3.0.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/r3labs/diff/v3@v3.0.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-version +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-version@v1.7.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-version@v1.7.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-retryablehttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-retryablehttp@v0.7.8 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-retryablehttp@v0.7.8 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/helm/v3 /usr/local/bin/helm +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-multierror +
      • + +
    • Introduced through: + + helm.sh/helm/v3@* and github.com/hashicorp/go-multierror@v1.1.1 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + helm.sh/helm/v3@* + + github.com/hashicorp/go-multierror@v1.1.1 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/hashicorp/go-cleanhttp +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/hashicorp/go-cleanhttp@v0.5.2 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/hashicorp/go-cleanhttp@v0.5.2 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    MPL-2.0 license

    +
    + +
    +
    + medium severity +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Module: + + github.com/gosimple/slug +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/gosimple/slug@v1.15.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/gosimple/slug@v1.15.0 + + + +
      • +
    + +
    + +
    + +

    MPL-2.0 license

    + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    Improper Validation of Integrity Check Value

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argo-cd/v3 /usr/local/bin/argocd +
      • +
    • + Package Manager: golang +
      • +
    • + Vulnerable module: + + github.com/go-git/go-git/v5/storage/filesystem +
      • + +
    • Introduced through: + + github.com/argoproj/argo-cd/v3@* and github.com/go-git/go-git/v5/storage/filesystem@v5.14.0 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + github.com/argoproj/argo-cd/v3@* + + github.com/go-git/go-git/v5/storage/filesystem@v5.14.0 + + + +
      • +
    + +
    + +
    + +

    Overview

    +

    Affected versions of this package are vulnerable to Improper Validation of Integrity Check Value for .idx and .pack files. An attacker can cause the application to consume corrupted files, leading to unexpected errors, due to checksums not being checked in the loadIdxFile() function.

    +

    Workaround

    +

    This vulnerability can be mitigated by running 'git fsck' from the git CLI to check for data corruption on a given repository.

    +

    Remediation

    +

    Upgrade github.com/go-git/go-git/v5/storage/filesystem to version 5.16.5 or higher.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    @@ -1032,10 +1572,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -1046,7 +1586,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11, git@1:2.43.0-1ubuntu7.3 and others + docker-image|quay.io/argoproj/argocd@v3.3.1, git@1:2.51.0-1ubuntu1 and others
    @@ -1058,31 +1598,31 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - git@1:2.43.0-1ubuntu7.3 + git@1:2.51.0-1ubuntu1 - git/git-man@1:2.43.0-1ubuntu7.3 + git/git-man@1:2.51.0-1ubuntu1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - git@1:2.43.0-1ubuntu7.3 + git@1:2.51.0-1ubuntu1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - git-lfs@3.4.1-1ubuntu0.3 + git-lfs@3.6.1-1ubuntu0.1 - git@1:2.43.0-1ubuntu7.3 + git@1:2.51.0-1ubuntu1 @@ -1095,10 +1635,10 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream git package and not the git package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      Git is a source code management tool. When cloning from a server (or fetching, or pushing), informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed directly to the standard error output. Typically, this standard error output is connected to a terminal that understands ANSI escape sequences, which Git did not protect against. Most modern terminals support control sequences that can be used by a malicious actor to hide and misrepresent information, or to mislead the user into executing untrusted scripts. As requested on the git-security mailing list, the patches are under discussion on the public mailing list. Users are advised to update as soon as possible. Users unable to upgrade should avoid recursive clones unless they are from trusted sources.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 git.

      +

      There is no fixed version for Ubuntu:25.10 git.

      References

    -
    -

    Link Following

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - git-lfs -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.1.11 and git-lfs@3.4.1-1ubuntu0.3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - git-lfs@3.4.1-1ubuntu0.3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream git-lfs package and not the git-lfs package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 git-lfs.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    Arbitrary Code Injection

    -
    - -
    -
    - medium severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - git-lfs -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.1.11 and git-lfs@3.4.1-1ubuntu0.3 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - git-lfs@3.4.1-1ubuntu0.3 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream git-lfs package and not the git-lfs package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    Git LFS is a Git extension for versioning large files. When Git LFS requests credentials from Git for a remote host, it passes portions of the host's URL to the git-credential(1) command without checking for embedded line-ending control characters, and then sends any credentials it receives back from the Git credential helper to the remote host. By inserting URL-encoded control characters such as line feed (LF) or carriage return (CR) characters into the URL, an attacker may be able to retrieve a user's Git credentials. This problem exists in all previous versions and is patched in v3.6.1. All users should upgrade to v3.6.1. There are no workarounds known at this time.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 git-lfs.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -1287,10 +1670,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -1301,7 +1684,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11, git@1:2.43.0-1ubuntu7.3 and others + docker-image|quay.io/argoproj/argocd@v3.3.1, git@1:2.51.0-1ubuntu1 and others
    @@ -1313,11 +1696,11 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - git@1:2.43.0-1ubuntu7.3 + git@1:2.51.0-1ubuntu1 - expat/libexpat1@2.6.1-2ubuntu0.3 + expat/libexpat1@2.7.1-2ubuntu0.2 @@ -1330,10 +1713,10 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream expat package and not the expat package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 expat.

      +

      There is no fixed version for Ubuntu:25.10 expat.

      References

    +
    +

    CVE-2025-11563

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:25.10 +
      • +
    • + Vulnerable module: + + curl/libcurl3t64-gnutls +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.3.1, git@1:2.51.0-1ubuntu1 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + git@1:2.51.0-1ubuntu1 + + curl/libcurl3t64-gnutls@8.14.1-2ubuntu1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    This vulnerability has not been analyzed by NVD yet.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:25.10 curl.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    +
    + +
    +
    +

    CVE-2025-13034

    +
    + +
    +
    + medium severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:25.10 +
      • +
    • + Vulnerable module: + + curl/libcurl3t64-gnutls +
      • + +
    • Introduced through: + + + docker-image|quay.io/argoproj/argocd@v3.3.1, git@1:2.51.0-1ubuntu1 and others +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + git@1:2.51.0-1ubuntu1 + + curl/libcurl3t64-gnutls@8.14.1-2ubuntu1 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

    +

    When using CURLOPT_PINNEDPUBLICKEY option with libcurl or --pinnedpubkey + with the curl tool,curl should check the public key of the server certificate + to verify the peer.

    +

    This check was skipped in a certain condition that would then make curl allow + the connection without performing the proper check, thus not noticing a + possible impostor. To skip this check, the connection had to be done with QUIC + with ngtcp2 built to use GnuTLS and the user had to explicitly disable the + standard certificate verification.

    +

    Remediation

    +

    There is no fixed version for Ubuntu:25.10 curl.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    @@ -1365,20 +1907,20 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: - shadow/passwd + shadow/login.defs
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 and shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + docker-image|quay.io/argoproj/argocd@v3.3.1 and shadow/login.defs@1:4.17.4-2ubuntu2
    @@ -1391,42 +1933,68 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + shadow/login.defs@1:4.17.4-2ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - openssh/openssh-client@1:9.6p1-3ubuntu13.14 + util-linux/login@1:4.16.0-2+really2.41-4ubuntu4.1 - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + shadow/login.defs@1:4.17.4-2ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - apt@2.8.3 + apt@3.1.6ubuntu2 - adduser@3.137ubuntu1 + adduser@3.152ubuntu1 - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 + shadow/passwd@1:4.17.4-2ubuntu2 + + shadow/login.defs@1:4.17.4-2ubuntu2
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - shadow/login@1:4.13+dfsg1-4ubuntu3.2 + shadow/passwd@1:4.17.4-2ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + openssh/openssh-client@1:10.0p1-5ubuntu5 + + shadow/passwd@1:4.17.4-2ubuntu2 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + apt@3.1.6ubuntu2 + + adduser@3.152ubuntu1 + + shadow/passwd@1:4.17.4-2ubuntu2 @@ -1439,10 +2007,10 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream shadow package and not the shadow package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account takeover, e.g., by leveraging newuidmap for access to an NFS home directory (or same-host resources in the case of remote logins by these local network users). NOTE: it may also be argued that system administrators should not have assigned uids, within local networks, that are within the range that can occur in /etc/subuid.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 shadow.

      +

      There is no fixed version for Ubuntu:25.10 shadow.

      References

    @@ -1475,10 +2043,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -1488,7 +2056,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 and patch@2.7.6-7build3 + docker-image|quay.io/argoproj/argocd@v3.3.1 and patch@2.8-2
    @@ -1501,9 +2069,9 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - patch@2.7.6-7build3 + patch@2.8-2 @@ -1516,10 +2084,10 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 patch.

      +

      There is no fixed version for Ubuntu:25.10 patch.

      References

    @@ -1550,10 +2118,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -1563,7 +2131,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 and patch@2.7.6-7build3 + docker-image|quay.io/argoproj/argocd@v3.3.1 and patch@2.8-2
    @@ -1576,9 +2144,9 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - patch@2.7.6-7build3 + patch@2.8-2 @@ -1591,10 +2159,10 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream patch package and not the patch package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 patch.

      +

      There is no fixed version for Ubuntu:25.10 patch.

      References

    -

    CVE-2024-41996

    +

    Improper Neutralization of Null Byte or NUL Character

    @@ -1630,20 +2198,20 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: - openssl/libssl3t64 + openssh/openssh-client
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 and openssl/libssl3t64@3.0.13-0ubuntu3.6 + docker-image|quay.io/argoproj/argocd@v3.3.1 and openssh/openssh-client@1:10.0p1-5ubuntu5
    @@ -1656,135 +2224,9 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - coreutils@9.4-3ubuntu6.1 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - cyrus-sasl2/libsasl2-modules@2.1.28+dfsg1-5ubuntu3.1 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - libfido2/libfido2-1@1.14.0-1build3 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - openssh/openssh-client@1:9.6p1-3ubuntu13.14 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - ca-certificates@20240203 - - openssl@3.0.13-0ubuntu3.6 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - libssh/libssh-4@0.10.6-2ubuntu0.2 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - krb5/libgssapi-krb5-2@1.20.1-6ubuntu2.6 - - krb5/libkrb5-3@1.20.1-6ubuntu2.6 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - openldap/libldap2@2.6.7+dfsg-1~exp1ubuntu8.2 - - cyrus-sasl2/libsasl2-2@2.1.28+dfsg1-5ubuntu3.1 - - openssl/libssl3t64@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - openssl@3.0.13-0ubuntu3.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - ca-certificates@20240203 - - openssl@3.0.13-0ubuntu3.6 + openssh/openssh-client@1:10.0p1-5ubuntu5 @@ -1796,23 +2238,105 @@

      NVD Description

      -

      Note: Versions mentioned in the description apply only to the upstream openssl package and not the openssl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      -

      Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used, allows remote attackers (from the client side) to trigger unnecessarily expensive server-side DHE modular-exponentiation calculations. The client may cause asymmetric resource consumption. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE and validate the order of the public key.

      +

      Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      +

      ssh in OpenSSH before 10.1 allows the '\0' character in an ssh:// URI, potentially leading to code execution when a ProxyCommand is used.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 openssl.

      +

      There is no fixed version for Ubuntu:25.10 openssh.

      References

      -

      More about this vulnerability

      +

      More about this vulnerability

      +
      + +
    +
    +

    Failure to Sanitize Special Element

    +
    + +
    +
    + low severity +
    +
    + Exploit: Not Defined +
    +
    + +
    + +
      +
    • + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile +
      • +
    • + Package Manager: ubuntu:25.10 +
      • +
    • + Vulnerable module: + + openssh/openssh-client +
      • + +
    • Introduced through: + + docker-image|quay.io/argoproj/argocd@v3.3.1 and openssh/openssh-client@1:10.0p1-5ubuntu5 + +
      • +
    + +
    + + +

    Detailed paths

    + +
      +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + openssh/openssh-client@1:10.0p1-5ubuntu5 + + + +
      • +
    + +
    + +
    + +

    NVD Description

    +

    Note: Versions mentioned in the description apply only to the upstream openssh package and not the openssh package as distributed by Ubuntu. + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

    +

    ssh in OpenSSH before 10.1 allows control characters in usernames that originate from certain possibly untrusted sources, potentially leading to code execution when a ProxyCommand is used. The untrusted sources are the command line and %-sequence expansion of a configuration file. (A configuration file that provides a complete literal username is not categorized as an untrusted source.)

    +

    Remediation

    +

    There is no fixed version for Ubuntu:25.10 openssh.

    +

    References

    + + +
    + +
    +

    More about this vulnerability

    @@ -1833,10 +2357,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -1846,7 +2370,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 and libgcrypt20@1.10.3-2build1 + docker-image|quay.io/argoproj/argocd@v3.3.1 and libgcrypt20@1.11.0-7build1
    @@ -1859,100 +2383,68 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - libgcrypt20@1.10.3-2build1 + libgcrypt20@1.11.0-7build1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/dirmngr@2.4.4-2ubuntu17.4 + gnupg2/dirmngr@2.4.8-2ubuntu2.1 - libgcrypt20@1.10.3-2build1 + libgcrypt20@1.11.0-7build1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpg@2.4.4-2ubuntu17.4 + gnupg2/gpg@2.4.8-2ubuntu2.1 - libgcrypt20@1.10.3-2build1 + libgcrypt20@1.11.0-7build1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpg-agent@2.4.4-2ubuntu17.4 + gnupg2/gpg-agent@2.4.8-2ubuntu2.1 - libgcrypt20@1.10.3-2build1 + libgcrypt20@1.11.0-7build1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - apt@2.8.3 + apt@3.1.6ubuntu2 - apt/libapt-pkg6.0t64@2.8.3 + gnupg2/gpgv@2.4.8-2ubuntu2.1 - libgcrypt20@1.10.3-2build1 + libgcrypt20@1.11.0-7build1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - apt@2.8.3 + gnupg2/gpg@2.4.8-2ubuntu2.1 - gnupg2/gpgv@2.4.4-2ubuntu17.4 + gnupg2/gpgconf@2.4.8-2ubuntu2.1 - libgcrypt20@1.10.3-2build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - gnupg2/gpg@2.4.4-2ubuntu17.4 - - gnupg2/gpgconf@2.4.4-2ubuntu17.4 - - libgcrypt20@1.10.3-2build1 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - apt@2.8.3 - - adduser@3.137ubuntu1 - - shadow/passwd@1:4.13+dfsg1-4ubuntu3.2 - - pam/libpam-modules@1.5.3-5ubuntu5.5 - - systemd/libsystemd0@255.4-1ubuntu8.12 - - libgcrypt20@1.10.3-2build1 + libgcrypt20@1.11.0-7build1 @@ -1965,10 +2457,10 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream libgcrypt20 package and not the libgcrypt20 package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      A timing-based side-channel flaw was found in libgcrypt's RSA implementation. This issue may allow a remote attacker to initiate a Bleichenbacher-style attack, which can lead to the decryption of RSA ciphertexts.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 libgcrypt20.

      +

      There is no fixed version for Ubuntu:25.10 libgcrypt20.

      References

    @@ -2004,10 +2496,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -2017,7 +2509,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 and gnupg2/gpgv@2.4.4-2ubuntu17.4 + docker-image|quay.io/argoproj/argocd@v3.3.1 and gnupg2/gpgv@2.4.8-2ubuntu2.1
    @@ -2030,80 +2522,80 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpgv@2.4.4-2ubuntu17.4 + gnupg2/gpgv@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - apt@2.8.3 + apt@3.1.6ubuntu2 - gnupg2/gpgv@2.4.4-2ubuntu17.4 + gnupg2/gpgv@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/dirmngr@2.4.4-2ubuntu17.4 + gnupg2/dirmngr@2.4.8-2ubuntu2.1 - gnupg2/gpgconf@2.4.4-2ubuntu17.4 + gnupg2/gpgconf@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpg-agent@2.4.4-2ubuntu17.4 + gnupg2/gpg-agent@2.4.8-2ubuntu2.1 - gnupg2/gpgconf@2.4.4-2ubuntu17.4 + gnupg2/gpgconf@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpg@2.4.4-2ubuntu17.4 + gnupg2/gpg@2.4.8-2ubuntu2.1 - gnupg2/gpgconf@2.4.4-2ubuntu17.4 + gnupg2/gpgconf@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/dirmngr@2.4.4-2ubuntu17.4 + gnupg2/dirmngr@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpg@2.4.4-2ubuntu17.4 + gnupg2/gpg@2.4.8-2ubuntu2.1
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - gnupg2/gpg-agent@2.4.4-2ubuntu17.4 + gnupg2/gpg-agent@2.4.8-2ubuntu2.1 @@ -2116,10 +2608,10 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream gnupg2 package and not the gnupg2 package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      GnuPG can be made to spin on a relatively small input by (for example) crafting a public key with thousands of signatures attached, compressed down to just a few KB.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 gnupg2.

      +

      There is no fixed version for Ubuntu:25.10 gnupg2.

      References

    -

    Allocation of Resources Without Limits or Throttling

    +

    Out-of-bounds Read

    @@ -2155,96 +2647,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - glibc/libc-bin -
      • - -
    • Introduced through: - - docker-image|quay.io/argoproj/argocd@v3.1.11 and glibc/libc-bin@2.39-0ubuntu8.6 - -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - glibc/libc-bin@2.39-0ubuntu8.6 - - - -
      • -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - glibc/libc6@2.39-0ubuntu8.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream glibc package and not the glibc package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm's runtime is proportional to the square of the length of the password.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 glibc.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-9086

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -2255,7 +2661,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11, git@1:2.43.0-1ubuntu7.3 and others + docker-image|quay.io/argoproj/argocd@v3.3.1, git@1:2.51.0-1ubuntu1 and others
    @@ -2267,11 +2673,11 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - git@1:2.43.0-1ubuntu7.3 + git@1:2.51.0-1ubuntu1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + curl/libcurl3t64-gnutls@8.14.1-2ubuntu1 @@ -2284,7 +2690,7 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      1. A cookie is set using the secure keyword for https://target
      2. curl is redirected to or otherwise made to speak with http://target (same @@ -2302,7 +2708,7 @@ the cookie since it was already set as secure on a secure host so overriding it on an insecure host should not be okay.

        Remediation

        -

        There is no fixed version for Ubuntu:24.04 curl.

        +

        There is no fixed version for Ubuntu:25.10 curl.

        References

    @@ -2337,10 +2743,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -2351,7 +2757,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11, git@1:2.43.0-1ubuntu7.3 and others + docker-image|quay.io/argoproj/argocd@v3.3.1, git@1:2.51.0-1ubuntu1 and others
    @@ -2363,11 +2769,11 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - git@1:2.43.0-1ubuntu7.3 + git@1:2.51.0-1ubuntu1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + curl/libcurl3t64-gnutls@8.14.1-2ubuntu1 @@ -2380,7 +2786,7 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      curl's websocket code did not update the 32 bit mask pattern for each new outgoing frame as the specification says. Instead it used a fixed mask that persisted and was used throughout the entire connection.

      @@ -2390,7 +2796,7 @@ and thereby poison its cache. That cached poisoned content could then be served to all users of that proxy.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 curl.

      +

      There is no fixed version for Ubuntu:25.10 curl.

      References

    -
    -

    CVE-2025-15224

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.1.11, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    When doing SSH-based transfers using either SCP or SFTP, and asked to do - public key authentication, curl would wrongly still ask and authenticate using - a locally running SSH agent.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    -
    - -
    -
    -

    CVE-2025-15079

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.1.11, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    When doing SSH-based transfers using either SCP or SFTP, and setting the - known_hosts file, libcurl could still mistakenly accept connecting to hosts - not present in the specified file if they were added as recognized in the - libssh global known_hosts file.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -2591,10 +2832,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -2605,7 +2846,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11, git@1:2.43.0-1ubuntu7.3 and others + docker-image|quay.io/argoproj/argocd@v3.3.1, git@1:2.51.0-1ubuntu1 and others
    @@ -2617,11 +2858,11 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - git@1:2.43.0-1ubuntu7.3 + git@1:2.51.0-1ubuntu1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + curl/libcurl3t64-gnutls@8.14.1-2ubuntu1 @@ -2634,14 +2875,14 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      When doing TLS related transfers with reused easy or multi handles and altering the CURLSSLOPT_NO_PARTIALCHAIN option, libcurl could accidentally reuse a CA store cached in memory for which the partial chain option was reversed. Contrary to the user's wishes and expectations. This could make libcurl find and accept a trust chain that it otherwise would not.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 curl.

      +

      There is no fixed version for Ubuntu:25.10 curl.

      References

    -

    CVE-2025-14524

    +

    Open Redirect

    @@ -2674,10 +2915,10 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: @@ -2688,7 +2929,7 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11, git@1:2.43.0-1ubuntu7.3 and others + docker-image|quay.io/argoproj/argocd@v3.3.1, git@1:2.51.0-1ubuntu1 and others
    @@ -2700,11 +2941,11 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - git@1:2.43.0-1ubuntu7.3 + git@1:2.51.0-1ubuntu1 - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 + curl/libcurl3t64-gnutls@8.14.1-2ubuntu1 @@ -2717,13 +2958,13 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer performs a cross-protocol redirect to a second URL that uses an IMAP, LDAP, POP3 or SMTP scheme, curl might wrongly pass on the bearer token to the new target host.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 curl.

      +

      There is no fixed version for Ubuntu:25.10 curl.

      References

    -
    -

    CVE-2025-0167

    -
    - -
    -
    - low severity -
    -
    - Exploit: Not Defined -
    -
    - -
    - -
      -
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile -
      • -
    • - Package Manager: ubuntu:24.04 -
      • -
    • - Vulnerable module: - - curl/libcurl3t64-gnutls -
      • - -
    • Introduced through: - - - docker-image|quay.io/argoproj/argocd@v3.1.11, git@1:2.43.0-1ubuntu7.3 and others -
      • -
    - -
    - - -

    Detailed paths

    - -
      -
    • - Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 - - git@1:2.43.0-1ubuntu7.3 - - curl/libcurl3t64-gnutls@8.5.0-2ubuntu10.6 - - - -
      • -
    - -
    - -
    - -

    NVD Description

    -

    Note: Versions mentioned in the description apply only to the upstream curl package and not the curl package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

    -

    When asked to use a .netrc file for credentials and to follow HTTP - redirects, curl could leak the password used for the first host to the - followed-to host under certain circumstances.

    -

    This flaw only manifests itself if the netrc file has a default entry that - omits both login and password. A rare circumstance.

    -

    Remediation

    -

    There is no fixed version for Ubuntu:24.04 curl.

    -

    References

    - - -
    - -
    -

    More about this vulnerability

    +

    More about this vulnerability

    @@ -2841,20 +2998,20 @@
    • - Manifest file: quay.io/argoproj/argocd:v3.1.11/argoproj/argocd Dockerfile + Manifest file: quay.io/argoproj/argocd:v3.3.1/argoproj/argocd Dockerfile
    • - Package Manager: ubuntu:24.04 + Package Manager: ubuntu:25.10
    • Vulnerable module: - coreutils + coreutils/gnu-coreutils
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 and coreutils@9.4-3ubuntu6.1 + docker-image|quay.io/argoproj/argocd@v3.3.1 and coreutils/gnu-coreutils@9.5-1ubuntu4
    @@ -2867,9 +3024,33 @@
    • Introduced through: - docker-image|quay.io/argoproj/argocd@v3.1.11 + docker-image|quay.io/argoproj/argocd@v3.3.1 - coreutils@9.4-3ubuntu6.1 + coreutils/gnu-coreutils@9.5-1ubuntu4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + tzdata@2025b-3ubuntu1.1 + + coreutils/gnu-coreutils@9.5-1ubuntu4 + + + +
      • +
    • + Introduced through: + docker-image|quay.io/argoproj/argocd@v3.3.1 + + coreutils-from/coreutils@9.5-1ubuntu2+0.0.0~ubuntu24 + + coreutils-from/coreutils-from-uutils@0.0.0~ubuntu24 + + coreutils/gnu-coreutils@9.5-1ubuntu4 @@ -2882,10 +3063,10 @@

      NVD Description

      Note: Versions mentioned in the description apply only to the upstream coreutils package and not the coreutils package as distributed by Ubuntu. - See How to fix? for Ubuntu:24.04 relevant fixed versions and status.

      + See How to fix? for Ubuntu:25.10 relevant fixed versions and status.

      chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal's input buffer.

      Remediation

      -

      There is no fixed version for Ubuntu:24.04 coreutils.

      +

      There is no fixed version for Ubuntu:25.10 coreutils.

      References

    diff --git a/docs/try_argo_cd_locally.md b/docs/try_argo_cd_locally.md index ee88dbcfba..342342a1d5 100644 --- a/docs/try_argo_cd_locally.md +++ b/docs/try_argo_cd_locally.md @@ -10,7 +10,7 @@ To run an Argo CD development environment review the [developer guide for runnin ## Install Kind -Install Kind Following Instructions [here](https://kind.sigs.k8s.io/docs/user/quick-start#installation). +Install Kind following their quick-start [instructions](https://kind.sigs.k8s.io/docs/user/quick-start#installation). ## Create a Kind Cluster Once Kind is installed, create a new Kubernetes cluster with: diff --git a/docs/user-guide/annotations-and-labels.md b/docs/user-guide/annotations-and-labels.md index c12c8e23db..e680117415 100644 --- a/docs/user-guide/annotations-and-labels.md +++ b/docs/user-guide/annotations-and-labels.md @@ -11,7 +11,7 @@ | argocd.argoproj.io/manifest-generate-paths | Application | [see scaling docs](../operator-manual/high_availability.md#manifest-paths-annotation) | Used to avoid unnecessary Application refreshes, especially in mono-repos. | | argocd.argoproj.io/managed-by-url | Application | A valid http(s) URL | Specifies the URL of the Argo CD instance managing the application. Used to correctly link to applications managed by a different Argo CD instance. See [managed-by-url docs](../operator-manual/managed-by-url.md) for details. | | argocd.argoproj.io/refresh | Application | `normal`, `hard` | Indicates that app needs to be refreshed. Removed by application controller after app is refreshed. Value `"hard"` means manifest cache and target cluster state cache should be invalidated before refresh. | -| argocd.argoproj.io/skip-reconcile | Application | `"true"` | Indicates to the Argo CD application controller that the Application should not be reconciled. See the [skip reconcile documentation](skip_reconcile.md) for use cases. | +| argocd.argoproj.io/skip-reconcile | Application, Cluster Secret | `"true"` | On an Application, skips reconciliation for that app. On a cluster secret, skips reconciliation for all apps targeting that cluster. See [skip reconcile docs](skip_reconcile.md). | | argocd.argoproj.io/sync-options | any | [see sync options docs](sync-options.md) | Provides a variety of settings to determine how an Application's resources are synced. | | argocd.argoproj.io/sync-wave | any | [see sync waves docs](sync-waves.md) | | | argocd.argoproj.io/tracking-id | any | any | Used by Argo CD to track resources it manages. See [resource tracking docs](resource_tracking.md) for details. | diff --git a/docs/user-guide/auto_sync.md b/docs/user-guide/auto_sync.md index 645095a590..c2eeb49f77 100644 --- a/docs/user-guide/auto_sync.md +++ b/docs/user-guide/auto_sync.md @@ -32,7 +32,7 @@ spec: ## Temporarily toggling auto-sync for applications managed by ApplicationSets For a standalone application, toggling auto-sync is performed by changing the application's `spec.syncPolicy.automated` field. For an ApplicationSet managed application, changing the application's `spec.syncPolicy.automated` field will, however, have no effect. -Read more details about how to perform the toggling for applications managed by ApplicationSets [here](../operator-manual/applicationset/Controlling-Resource-Modification.md). +[Controlling Resource Modification](../operator-manual/applicationset/Controlling-Resource-Modification.md) has more details about how to perform the toggling for applications managed by ApplicationSets. ## Automatic Pruning diff --git a/docs/user-guide/commands/argocd_app.md b/docs/user-guide/commands/argocd_app.md index 7e3627f3da..d586915cb6 100644 --- a/docs/user-guide/commands/argocd_app.md +++ b/docs/user-guide/commands/argocd_app.md @@ -97,7 +97,7 @@ argocd app [flags] * [argocd app patch](argocd_app_patch.md) - Patch application * [argocd app patch-resource](argocd_app_patch-resource.md) - Patch resource in an application * [argocd app remove-source](argocd_app_remove-source.md) - Remove a source from multiple sources application. -* [argocd app resources](argocd_app_resources.md) - List resource of application +* [argocd app resources](argocd_app_resources.md) - List resources of application * [argocd app rollback](argocd_app_rollback.md) - Rollback application to a previous deployed version by History ID, omitted will Rollback to the previous version * [argocd app set](argocd_app_set.md) - Set application parameters * [argocd app sync](argocd_app_sync.md) - Sync an application to its target state diff --git a/docs/user-guide/commands/argocd_app_resources.md b/docs/user-guide/commands/argocd_app_resources.md index e4d0548d88..0de5972286 100644 --- a/docs/user-guide/commands/argocd_app_resources.md +++ b/docs/user-guide/commands/argocd_app_resources.md @@ -2,18 +2,36 @@ ## argocd app resources -List resource of application +List resources of application ``` argocd app resources APPNAME [flags] ``` +### Examples + +``` + # List first-level resources of application + argocd app resources my-app --refresh + + # List only the orphaned resources of application + argocd app resources my-app --orphaned + + # Shows resource hierarchy with parent-child relationships + argocd app resources my-app --output tree + + # Shows resource hierarchy with parent-child relationships including information about age, health and reason + argocd app resources my-app --output tree=detailed +``` + ### Options ``` -h, --help help for resources --orphaned Lists only orphaned resources - --output string Provides the tree view of the resources + --output string Output format. One of: tree|tree=detailed. + tree: Shows resource hierarchy with parent-child relationships + tree=detailed: Same as tree, but includes AGE, HEALTH, and REASON columns --project string The name of the application's project - specifying this allows the command to report "not found" instead of "permission denied" if the app does not exist ``` diff --git a/docs/user-guide/helm.md b/docs/user-guide/helm.md index 540f893ad7..541be95e1d 100644 --- a/docs/user-guide/helm.md +++ b/docs/user-guide/helm.md @@ -45,9 +45,9 @@ spec: > [!NOTE] > **When using Helm there are multiple ways to provide values** > -> Order of precedence is `parameters > valuesObject > values > valueFiles > helm repository values.yaml` (see [Here](./helm.md#helm-value-precedence) for a more detailed example) +> Order of precedence is `parameters > valuesObject > values > valueFiles > helm repository values.yaml`. [Value precedence](./helm.md#helm-value-precedence) has a more detailed example. -See [here](../operator-manual/declarative-setup.md#helm) for more info about how to configure private Helm repositories and private OCI registries. +The [Declarative Setup section on Helm](../operator-manual/declarative-setup.md#helm) has more info about how to configure private Helm repositories and private OCI registries. ## Values Files diff --git a/docs/user-guide/kustomize.md b/docs/user-guide/kustomize.md index ead7306fa2..f524e0a4e9 100644 --- a/docs/user-guide/kustomize.md +++ b/docs/user-guide/kustomize.md @@ -24,8 +24,8 @@ If the `kustomization.yaml` file exists at the location pointed to by `repoURL` The following configuration options are available for Kustomize: -* `namePrefix` is a prefix appended to resources for Kustomize apps -* `nameSuffix` is a suffix appended to resources for Kustomize apps +* `namePrefix` overrides the namePrefix in the kustomization.yaml for Kustomize apps +* `nameSuffix` overrides the nameSuffix in the kustomization.yaml for Kustomize apps * `images` is a list of Kustomize image overrides * `replicas` is a list of Kustomize replica overrides * `commonLabels` is a string map of additional labels diff --git a/docs/user-guide/sync-options.md b/docs/user-guide/sync-options.md index 56ccb00ad5..d99c532d3b 100644 --- a/docs/user-guide/sync-options.md +++ b/docs/user-guide/sync-options.md @@ -139,7 +139,7 @@ $ argocd app set guestbook --sync-option ApplyOutOfSyncOnly=true By default, extraneous resources get pruned using the foreground deletion policy. The propagation policy can be controlled using the `PrunePropagationPolicy` sync option. Supported policies are background, foreground, and orphan. -More information about those policies can be found [here](https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/#controlling-how-the-garbage-collector-deletes-dependents). +More information about those policies can be found in the Kubernetes [Garbage Collection](https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/) documentation. ```yaml apiVersion: argoproj.io/v1alpha1 @@ -330,9 +330,10 @@ This is useful when you have other operators managing resources that are no long When client-side apply migration is enabled: 1. Argo CD will use the specified field manager (or default if not specified) to perform migration 2. During a server-side apply sync operation, it will: - - Perform a client-side-apply with the specified field manager - - Move the 'last-applied-configuration' annotation to be managed by the specified manager - - Perform the server-side apply, which will auto migrate all the fields under the manager that owns the 'last-applied-configuration' annotation. + - Check if the specified field manager exists in the resource's `managedFields` with `operation: Update` (indicating client-side apply) + - Patch the `managedFields`, transferring field ownership from the client-side apply manager to Argo CD's server-side apply manager (`argocd-controller`) + - Remove the client-side apply manager entry from `managedFields` + - Perform the server-side apply with the migrated field ownership This feature is based on Kubernetes' [client-side to server-side apply migration](https://kubernetes.io/docs/reference/using-api/server-side-apply/#migration-between-client-side-and-server-side-apply). diff --git a/docs/user-guide/sync-waves.md b/docs/user-guide/sync-waves.md index 0024f0136e..19479deb03 100644 --- a/docs/user-guide/sync-waves.md +++ b/docs/user-guide/sync-waves.md @@ -185,7 +185,8 @@ spec: backoffLimit: 2 ``` -The following example runs a db migration command before the main sync operation (also in wave -1): +### Initialize or migrate a database +The following example runs a db initialization/migration command before the main sync operation (also in wave -1): ```yaml apiVersion: batch/v1 kind: Job diff --git a/gitops-engine/Makefile b/gitops-engine/Makefile index 8c31d4351a..8ebaef4ce0 100644 --- a/gitops-engine/Makefile +++ b/gitops-engine/Makefile @@ -29,4 +29,4 @@ agent-manifests: .PHONY: generate-mocks generate-mocks: - go generate -x -v "github.com/argoproj/gitops-engine/pkg/utils/tracing/tracer_testing" + go generate -x -v "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/tracing/tracer_testing" diff --git a/gitops-engine/README.md b/gitops-engine/README.md index 8a21c4ffac..c83c7e8b61 100644 --- a/gitops-engine/README.md +++ b/gitops-engine/README.md @@ -9,3 +9,15 @@ This library implements core GitOps features: - Sync Planning ✅ - Access to Git repositories - Manifest Generation + +## Usage + +This library is mainly designed to be used by the Argo CD project. +However, it can also be used by other projects that need GitOps +features. + +To use the library, add it as a dependency in your Go module: + +```bash +go get github.com/argoproj/argo-cd/gitops-engine +``` diff --git a/gitops-engine/agent/README.md b/gitops-engine/agent/README.md index fbf4f78421..41a81b68cb 100644 --- a/gitops-engine/agent/README.md +++ b/gitops-engine/agent/README.md @@ -41,7 +41,8 @@ kubectl get deployment The cluster mode grants full cluster access to the GitOps Agent. Use the following command to install an agent into the `gitops-agent` namespace and use it to manage resources in any cluster namespace. -> Note. In cluster mode agents gets **full** cluster access. +> [!NOTE] +> In cluster mode agents gets **full** cluster access. > See [gitops-agent-cluster-role.yaml](./manifests/cluster-install/gitops-agent-cluster-role.yaml) definition for more information. ```bash diff --git a/gitops-engine/agent/main.go b/gitops-engine/agent/main.go index 1fa7d9d6f6..d16a0266e1 100644 --- a/gitops-engine/agent/main.go +++ b/gitops-engine/agent/main.go @@ -14,7 +14,7 @@ import ( "text/tabwriter" "time" - "github.com/argoproj/gitops-engine/pkg/utils/text" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/text" "github.com/go-logr/logr" "github.com/spf13/cobra" @@ -22,10 +22,10 @@ import ( "k8s.io/client-go/tools/clientcmd" "k8s.io/klog/v2/textlogger" - "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/engine" - "github.com/argoproj/gitops-engine/pkg/sync" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/engine" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" _ "net/http/pprof" ) diff --git a/gitops-engine/go.mod b/gitops-engine/go.mod index 248a956041..957b7109fc 100644 --- a/gitops-engine/go.mod +++ b/gitops-engine/go.mod @@ -1,6 +1,6 @@ -module github.com/argoproj/gitops-engine +module github.com/argoproj/argo-cd/gitops-engine -go 1.25.5 +go 1.26.0 require ( github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc diff --git a/gitops-engine/internal/kubernetes_vendor/pkg/api/v1/endpoints/util.go b/gitops-engine/internal/kubernetes_vendor/pkg/api/v1/endpoints/util.go index 58b7c13331..dc75dcbfb4 100644 --- a/gitops-engine/internal/kubernetes_vendor/pkg/api/v1/endpoints/util.go +++ b/gitops-engine/internal/kubernetes_vendor/pkg/api/v1/endpoints/util.go @@ -22,7 +22,7 @@ import ( "hash" "sort" - hashutil "github.com/argoproj/gitops-engine/internal/kubernetes_vendor/pkg/util/hash" + hashutil "github.com/argoproj/argo-cd/gitops-engine/internal/kubernetes_vendor/pkg/util/hash" v1 "k8s.io/api/core/v1" ) diff --git a/gitops-engine/pkg/cache/cluster.go b/gitops-engine/pkg/cache/cluster.go index ba9a4c7da9..0cd484d225 100644 --- a/gitops-engine/pkg/cache/cluster.go +++ b/gitops-engine/pkg/cache/cluster.go @@ -56,8 +56,8 @@ import ( "k8s.io/klog/v2/textlogger" "k8s.io/kubectl/pkg/util/openapi" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/tracing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/tracing" ) const ( diff --git a/gitops-engine/pkg/cache/cluster_test.go b/gitops-engine/pkg/cache/cluster_test.go index ea21ce497d..9f05835ae0 100644 --- a/gitops-engine/pkg/cache/cluster_test.go +++ b/gitops-engine/pkg/cache/cluster_test.go @@ -33,8 +33,8 @@ import ( testcore "k8s.io/client-go/testing" "sigs.k8s.io/yaml" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/kubetest" ) func mustToUnstructured(obj any) *unstructured.Unstructured { diff --git a/gitops-engine/pkg/cache/mocks/ClusterCache.go b/gitops-engine/pkg/cache/mocks/ClusterCache.go index adcfe8ae39..dbf8241760 100644 --- a/gitops-engine/pkg/cache/mocks/ClusterCache.go +++ b/gitops-engine/pkg/cache/mocks/ClusterCache.go @@ -5,8 +5,8 @@ package mocks import ( - "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" mock "github.com/stretchr/testify/mock" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" diff --git a/gitops-engine/pkg/cache/predicates_test.go b/gitops-engine/pkg/cache/predicates_test.go index 74522f71e7..fb909bb417 100644 --- a/gitops-engine/pkg/cache/predicates_test.go +++ b/gitops-engine/pkg/cache/predicates_test.go @@ -4,7 +4,7 @@ import ( "fmt" "testing" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/gitops-engine/pkg/cache/references.go b/gitops-engine/pkg/cache/references.go index cb16314b9d..59df0e73b0 100644 --- a/gitops-engine/pkg/cache/references.go +++ b/gitops-engine/pkg/cache/references.go @@ -10,7 +10,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/types" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) // mightHaveInferredOwner returns true of given resource might have inferred owners diff --git a/gitops-engine/pkg/cache/references_test.go b/gitops-engine/pkg/cache/references_test.go index bc496fa61d..8a447044fe 100644 --- a/gitops-engine/pkg/cache/references_test.go +++ b/gitops-engine/pkg/cache/references_test.go @@ -10,7 +10,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) func Test_isStatefulSetChild(t *testing.T) { diff --git a/gitops-engine/pkg/cache/resource.go b/gitops-engine/pkg/cache/resource.go index 2837a6e401..d4d32b5c71 100644 --- a/gitops-engine/pkg/cache/resource.go +++ b/gitops-engine/pkg/cache/resource.go @@ -9,7 +9,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) // Resource holds the information about Kubernetes resource, ownership references and optional information diff --git a/gitops-engine/pkg/cache/settings.go b/gitops-engine/pkg/cache/settings.go index 692ac26748..9af5823188 100644 --- a/gitops-engine/pkg/cache/settings.go +++ b/gitops-engine/pkg/cache/settings.go @@ -7,9 +7,9 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/client-go/rest" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/tracing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/tracing" ) // NewNoopSettings returns cache settings that has not health customizations and don't filter any resources diff --git a/gitops-engine/pkg/cache/settings_test.go b/gitops-engine/pkg/cache/settings_test.go index fdc1a74128..e5d757b6a8 100644 --- a/gitops-engine/pkg/cache/settings_test.go +++ b/gitops-engine/pkg/cache/settings_test.go @@ -7,7 +7,7 @@ import ( "github.com/stretchr/testify/assert" "k8s.io/client-go/rest" - "github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/kubetest" ) func TestSetSettings(t *testing.T) { diff --git a/gitops-engine/pkg/diff/diff.go b/gitops-engine/pkg/diff/diff.go index 545a354f30..244f78010e 100644 --- a/gitops-engine/pkg/diff/diff.go +++ b/gitops-engine/pkg/diff/diff.go @@ -26,11 +26,11 @@ import ( "sigs.k8s.io/structured-merge-diff/v6/merge" "sigs.k8s.io/structured-merge-diff/v6/typed" - "github.com/argoproj/gitops-engine/internal/kubernetes_vendor/pkg/api/v1/endpoints" - "github.com/argoproj/gitops-engine/pkg/diff/internal/fieldmanager" - "github.com/argoproj/gitops-engine/pkg/sync/resource" - jsonutil "github.com/argoproj/gitops-engine/pkg/utils/json" - gescheme "github.com/argoproj/gitops-engine/pkg/utils/kube/scheme" + "github.com/argoproj/argo-cd/gitops-engine/internal/kubernetes_vendor/pkg/api/v1/endpoints" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff/internal/fieldmanager" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/resource" + jsonutil "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/json" + gescheme "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/scheme" ) const ( diff --git a/gitops-engine/pkg/diff/diff_test.go b/gitops-engine/pkg/diff/diff_test.go index 148eba4846..514d60e0d5 100644 --- a/gitops-engine/pkg/diff/diff_test.go +++ b/gitops-engine/pkg/diff/diff_test.go @@ -27,8 +27,8 @@ import ( openapiproto "k8s.io/kube-openapi/pkg/util/proto" "sigs.k8s.io/yaml" - "github.com/argoproj/gitops-engine/pkg/diff/mocks" - "github.com/argoproj/gitops-engine/pkg/diff/testdata" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff/mocks" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff/testdata" ) func printDiff(ctx context.Context, result *DiffResult) (string, error) { diff --git a/gitops-engine/pkg/engine/engine.go b/gitops-engine/pkg/engine/engine.go index 01e5561b19..4196876315 100644 --- a/gitops-engine/pkg/engine/engine.go +++ b/gitops-engine/pkg/engine/engine.go @@ -4,7 +4,7 @@ and "implements" GitOps. Example -The https://github.com/argoproj/gitops-engine/tree/master/agent demonstrates how to use the engine. +The https://github.com/argoproj/argo-cd/gitops-engine/tree/master/agent demonstrates how to use the engine. */ package engine @@ -18,11 +18,11 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/client-go/rest" - "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/sync" - "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) const ( diff --git a/gitops-engine/pkg/engine/engine_options.go b/gitops-engine/pkg/engine/engine_options.go index d49263dc6d..6f1dc8d020 100644 --- a/gitops-engine/pkg/engine/engine_options.go +++ b/gitops-engine/pkg/engine/engine_options.go @@ -4,8 +4,8 @@ import ( "github.com/go-logr/logr" "k8s.io/klog/v2/textlogger" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/tracing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/tracing" ) type Option func(*options) diff --git a/gitops-engine/pkg/health/health.go b/gitops-engine/pkg/health/health.go index ef09023f41..58800cf799 100644 --- a/gitops-engine/pkg/health/health.go +++ b/gitops-engine/pkg/health/health.go @@ -6,8 +6,8 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" - "github.com/argoproj/gitops-engine/pkg/sync/hook" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) // Represents resource health status diff --git a/gitops-engine/pkg/health/health_apiservice.go b/gitops-engine/pkg/health/health_apiservice.go index 8def46256d..c83cc119dd 100644 --- a/gitops-engine/pkg/health/health_apiservice.go +++ b/gitops-engine/pkg/health/health_apiservice.go @@ -8,7 +8,7 @@ import ( apiregistrationv1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1" apiregistrationv1beta1 "k8s.io/kube-aggregator/pkg/apis/apiregistration/v1beta1" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) func getAPIServiceHealth(obj *unstructured.Unstructured) (*HealthStatus, error) { diff --git a/gitops-engine/pkg/health/health_daemonset.go b/gitops-engine/pkg/health/health_daemonset.go index 9cb9eff8e6..39336c6f23 100644 --- a/gitops-engine/pkg/health/health_daemonset.go +++ b/gitops-engine/pkg/health/health_daemonset.go @@ -7,7 +7,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) func getDaemonSetHealth(obj *unstructured.Unstructured) (*HealthStatus, error) { diff --git a/gitops-engine/pkg/health/health_deployment.go b/gitops-engine/pkg/health/health_deployment.go index 4f7984a2f4..b3aaa91df3 100644 --- a/gitops-engine/pkg/health/health_deployment.go +++ b/gitops-engine/pkg/health/health_deployment.go @@ -7,7 +7,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) func getDeploymentHealth(obj *unstructured.Unstructured) (*HealthStatus, error) { diff --git a/gitops-engine/pkg/health/health_hpa.go b/gitops-engine/pkg/health/health_hpa.go index 67d1787674..643e2f7484 100644 --- a/gitops-engine/pkg/health/health_hpa.go +++ b/gitops-engine/pkg/health/health_hpa.go @@ -11,7 +11,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) var progressingStatus = &HealthStatus{ diff --git a/gitops-engine/pkg/health/health_job.go b/gitops-engine/pkg/health/health_job.go index b79b4d9022..8b277226a9 100644 --- a/gitops-engine/pkg/health/health_job.go +++ b/gitops-engine/pkg/health/health_job.go @@ -9,7 +9,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) func getJobHealth(obj *unstructured.Unstructured) (*HealthStatus, error) { diff --git a/gitops-engine/pkg/health/health_pod.go b/gitops-engine/pkg/health/health_pod.go index 9ebcef5581..74c9dfcec3 100644 --- a/gitops-engine/pkg/health/health_pod.go +++ b/gitops-engine/pkg/health/health_pod.go @@ -9,7 +9,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/kubectl/pkg/util/podutils" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) func getPodHealth(obj *unstructured.Unstructured) (*HealthStatus, error) { diff --git a/gitops-engine/pkg/health/health_pvc.go b/gitops-engine/pkg/health/health_pvc.go index 7d41120a0d..5d05141f3d 100644 --- a/gitops-engine/pkg/health/health_pvc.go +++ b/gitops-engine/pkg/health/health_pvc.go @@ -7,7 +7,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) func getPVCHealth(obj *unstructured.Unstructured) (*HealthStatus, error) { diff --git a/gitops-engine/pkg/health/health_replicaset.go b/gitops-engine/pkg/health/health_replicaset.go index 7d59eaccc0..d67c51889e 100644 --- a/gitops-engine/pkg/health/health_replicaset.go +++ b/gitops-engine/pkg/health/health_replicaset.go @@ -8,7 +8,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) func getReplicaSetHealth(obj *unstructured.Unstructured) (*HealthStatus, error) { diff --git a/gitops-engine/pkg/health/health_service.go b/gitops-engine/pkg/health/health_service.go index ea8cda2bb8..9383f90eb5 100644 --- a/gitops-engine/pkg/health/health_service.go +++ b/gitops-engine/pkg/health/health_service.go @@ -7,7 +7,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) func getServiceHealth(obj *unstructured.Unstructured) (*HealthStatus, error) { diff --git a/gitops-engine/pkg/health/health_statefulset.go b/gitops-engine/pkg/health/health_statefulset.go index 920e5ed2d1..dfea2f169c 100644 --- a/gitops-engine/pkg/health/health_statefulset.go +++ b/gitops-engine/pkg/health/health_statefulset.go @@ -7,7 +7,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) func getStatefulSetHealth(obj *unstructured.Unstructured) (*HealthStatus, error) { diff --git a/gitops-engine/pkg/sync/common/types.go b/gitops-engine/pkg/sync/common/types.go index 00976ff5d1..30055ff177 100644 --- a/gitops-engine/pkg/sync/common/types.go +++ b/gitops-engine/pkg/sync/common/types.go @@ -4,7 +4,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) const ( diff --git a/gitops-engine/pkg/sync/doc.go b/gitops-engine/pkg/sync/doc.go index a18ddfcb66..b8202e1580 100644 --- a/gitops-engine/pkg/sync/doc.go +++ b/gitops-engine/pkg/sync/doc.go @@ -100,6 +100,6 @@ in-sync and healthy. # Example -Find real-life example in https://github.com/argoproj/gitops-engine/blob/master/pkg/engine/engine.go +Find real-life example in https://github.com/argoproj/argo-cd/gitops-engine/blob/master/pkg/engine/engine.go */ package sync diff --git a/gitops-engine/pkg/sync/helper_test.go b/gitops-engine/pkg/sync/helper_test.go index f1938cf2a5..9c12551be2 100644 --- a/gitops-engine/pkg/sync/helper_test.go +++ b/gitops-engine/pkg/sync/helper_test.go @@ -7,11 +7,11 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/health" - synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/sync/hook" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + synccommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) type resourceNameHealthOverride map[string]health.HealthStatusCode diff --git a/gitops-engine/pkg/sync/hook/delete_policy.go b/gitops-engine/pkg/sync/hook/delete_policy.go index 56a9e15c8a..0934af1658 100644 --- a/gitops-engine/pkg/sync/hook/delete_policy.go +++ b/gitops-engine/pkg/sync/hook/delete_policy.go @@ -3,9 +3,9 @@ package hook import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" - helmhook "github.com/argoproj/gitops-engine/pkg/sync/hook/helm" - resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + helmhook "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook/helm" + resourceutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/resource" ) func DeletePolicies(obj *unstructured.Unstructured) []common.HookDeletePolicy { diff --git a/gitops-engine/pkg/sync/hook/delete_policy_test.go b/gitops-engine/pkg/sync/hook/delete_policy_test.go index faa31e3faa..a2ca779f22 100644 --- a/gitops-engine/pkg/sync/hook/delete_policy_test.go +++ b/gitops-engine/pkg/sync/hook/delete_policy_test.go @@ -5,8 +5,8 @@ import ( "github.com/stretchr/testify/assert" - "github.com/argoproj/gitops-engine/pkg/sync/common" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func TestDeletePolicies(t *testing.T) { diff --git a/gitops-engine/pkg/sync/hook/helm/delete_policy.go b/gitops-engine/pkg/sync/hook/helm/delete_policy.go index f174eda7d9..bde4d42cc1 100644 --- a/gitops-engine/pkg/sync/hook/helm/delete_policy.go +++ b/gitops-engine/pkg/sync/hook/helm/delete_policy.go @@ -1,8 +1,8 @@ package helm import ( - "github.com/argoproj/gitops-engine/pkg/sync/common" - resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + resourceutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/resource" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) diff --git a/gitops-engine/pkg/sync/hook/helm/delete_policy_test.go b/gitops-engine/pkg/sync/hook/helm/delete_policy_test.go index 019ff9f259..4aa9734430 100644 --- a/gitops-engine/pkg/sync/hook/helm/delete_policy_test.go +++ b/gitops-engine/pkg/sync/hook/helm/delete_policy_test.go @@ -5,8 +5,8 @@ import ( "github.com/stretchr/testify/assert" - "github.com/argoproj/gitops-engine/pkg/sync/common" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func TestDeletePolicies(t *testing.T) { diff --git a/gitops-engine/pkg/sync/hook/helm/hook_test.go b/gitops-engine/pkg/sync/hook/helm/hook_test.go index 1e3e947007..8ec4d5209b 100644 --- a/gitops-engine/pkg/sync/hook/helm/hook_test.go +++ b/gitops-engine/pkg/sync/hook/helm/hook_test.go @@ -5,7 +5,7 @@ import ( "github.com/stretchr/testify/assert" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func TestIsHook(t *testing.T) { diff --git a/gitops-engine/pkg/sync/hook/helm/type.go b/gitops-engine/pkg/sync/hook/helm/type.go index f94f3bc47b..9ce8e70603 100644 --- a/gitops-engine/pkg/sync/hook/helm/type.go +++ b/gitops-engine/pkg/sync/hook/helm/type.go @@ -3,8 +3,8 @@ package helm import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" - resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + resourceutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/resource" ) type Type string diff --git a/gitops-engine/pkg/sync/hook/helm/type_test.go b/gitops-engine/pkg/sync/hook/helm/type_test.go index c50777e800..4e732cb2ae 100644 --- a/gitops-engine/pkg/sync/hook/helm/type_test.go +++ b/gitops-engine/pkg/sync/hook/helm/type_test.go @@ -5,8 +5,8 @@ import ( "github.com/stretchr/testify/assert" - "github.com/argoproj/gitops-engine/pkg/sync/common" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func TestTypes(t *testing.T) { diff --git a/gitops-engine/pkg/sync/hook/helm/weight_test.go b/gitops-engine/pkg/sync/hook/helm/weight_test.go index ab971ee11a..1703aee6b3 100644 --- a/gitops-engine/pkg/sync/hook/helm/weight_test.go +++ b/gitops-engine/pkg/sync/hook/helm/weight_test.go @@ -3,7 +3,7 @@ package helm import ( "testing" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" "github.com/stretchr/testify/assert" ) diff --git a/gitops-engine/pkg/sync/hook/hook.go b/gitops-engine/pkg/sync/hook/hook.go index 66dfc26e50..c0fe71a218 100644 --- a/gitops-engine/pkg/sync/hook/hook.go +++ b/gitops-engine/pkg/sync/hook/hook.go @@ -3,9 +3,9 @@ package hook import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" - helmhook "github.com/argoproj/gitops-engine/pkg/sync/hook/helm" - resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + helmhook "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook/helm" + resourceutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/resource" ) const ( diff --git a/gitops-engine/pkg/sync/hook/hook_test.go b/gitops-engine/pkg/sync/hook/hook_test.go index dc4b51a217..1e752b25e5 100644 --- a/gitops-engine/pkg/sync/hook/hook_test.go +++ b/gitops-engine/pkg/sync/hook/hook_test.go @@ -6,8 +6,8 @@ import ( "github.com/stretchr/testify/assert" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func TestNoHooks(t *testing.T) { diff --git a/gitops-engine/pkg/sync/ignore/ignore.go b/gitops-engine/pkg/sync/ignore/ignore.go index e7ea36defe..ec30139d0e 100644 --- a/gitops-engine/pkg/sync/ignore/ignore.go +++ b/gitops-engine/pkg/sync/ignore/ignore.go @@ -3,7 +3,7 @@ package ignore import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" ) // should we Ignore this resource? diff --git a/gitops-engine/pkg/sync/ignore/ignore_test.go b/gitops-engine/pkg/sync/ignore/ignore_test.go index 49ab65c3d7..7b07913e84 100644 --- a/gitops-engine/pkg/sync/ignore/ignore_test.go +++ b/gitops-engine/pkg/sync/ignore/ignore_test.go @@ -5,11 +5,11 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func newHook(obj *unstructured.Unstructured, hookType common.HookType) *unstructured.Unstructured { diff --git a/gitops-engine/pkg/sync/reconcile.go b/gitops-engine/pkg/sync/reconcile.go index ae32dde567..5f2ae76665 100644 --- a/gitops-engine/pkg/sync/reconcile.go +++ b/gitops-engine/pkg/sync/reconcile.go @@ -4,10 +4,10 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/types" - hookutil "github.com/argoproj/gitops-engine/pkg/sync/hook" - "github.com/argoproj/gitops-engine/pkg/sync/ignore" - kubeutil "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/text" + hookutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/ignore" + kubeutil "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/text" ) func splitHooks(target []*unstructured.Unstructured) ([]*unstructured.Unstructured, []*unstructured.Unstructured) { diff --git a/gitops-engine/pkg/sync/reconcile_test.go b/gitops-engine/pkg/sync/reconcile_test.go index f1f21db32b..d1405d16a8 100644 --- a/gitops-engine/pkg/sync/reconcile_test.go +++ b/gitops-engine/pkg/sync/reconcile_test.go @@ -8,7 +8,7 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) type unknownResourceInfoProvider struct{} diff --git a/gitops-engine/pkg/sync/resource/annotations_test.go b/gitops-engine/pkg/sync/resource/annotations_test.go index f024df192e..397c87eba9 100644 --- a/gitops-engine/pkg/sync/resource/annotations_test.go +++ b/gitops-engine/pkg/sync/resource/annotations_test.go @@ -6,7 +6,7 @@ import ( "github.com/stretchr/testify/assert" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func TestHasAnnotationOption(t *testing.T) { diff --git a/gitops-engine/pkg/sync/sync_context.go b/gitops-engine/pkg/sync/sync_context.go index 12712f5302..309b0d7374 100644 --- a/gitops-engine/pkg/sync/sync_context.go +++ b/gitops-engine/pkg/sync/sync_context.go @@ -17,21 +17,24 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/discovery" "k8s.io/client-go/dynamic" "k8s.io/client-go/rest" + "k8s.io/client-go/util/csaupgrade" "k8s.io/client-go/util/retry" "k8s.io/klog/v2/textlogger" cmdutil "k8s.io/kubectl/pkg/cmd/util" "k8s.io/kubectl/pkg/util/openapi" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/sync/hook" - resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource" - kubeutil "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" + resourceutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/resource" + kubeutil "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) type reconciledResource struct { @@ -422,9 +425,22 @@ func (sc *syncContext) setRunningPhase(tasks syncTasks, isPendingDeletion bool) } else { firstTask = resources[0] } + nbAdditionalTask := tasks.Len() - 1 + + if !sc.pruneConfirmed { + tasksToPrune := tasks.Filter(func(task *syncTask) bool { + return task.isPrune() && resourceutil.HasAnnotationOption(task.liveObj, common.AnnotationSyncOptions, common.SyncOptionPruneRequireConfirm) + }) + + if len(tasksToPrune) > 0 { + reason = "pruning confirmation of" + firstTask = tasksToPrune[0] + nbAdditionalTask = len(tasksToPrune) - 1 + } + } message := fmt.Sprintf("waiting for %s %s/%s/%s", reason, firstTask.group(), firstTask.kind(), firstTask.name()) - if nbAdditionalTask := len(tasks) - 1; nbAdditionalTask > 0 { + if nbAdditionalTask > 0 { message = fmt.Sprintf("%s and %d more %s", message, nbAdditionalTask, taskType) } sc.setOperationPhase(common.OperationRunning, message) @@ -1214,7 +1230,9 @@ func (sc *syncContext) shouldUseServerSideApply(targetObj *unstructured.Unstruct } // needsClientSideApplyMigration checks if a resource has fields managed by the specified manager -// that need to be migrated to the server-side apply manager +// with operation "Update" (client-side apply) that need to be migrated to server-side apply. +// Client-side apply uses operation "Update", while server-side apply uses operation "Apply". +// We only migrate managers with "Update" operation to avoid re-migrating already-migrated managers. func (sc *syncContext) needsClientSideApplyMigration(liveObj *unstructured.Unstructured, fieldManager string) bool { if liveObj == nil || fieldManager == "" { return false @@ -1226,7 +1244,9 @@ func (sc *syncContext) needsClientSideApplyMigration(liveObj *unstructured.Unstr } for _, field := range managedFields { - if field.Manager == fieldManager { + // Only consider managers with operation "Update" (client-side apply). + // Managers with operation "Apply" are already using server-side apply. + if field.Manager == fieldManager && field.Operation == metav1.ManagedFieldsOperationUpdate { return true } } @@ -1234,29 +1254,70 @@ func (sc *syncContext) needsClientSideApplyMigration(liveObj *unstructured.Unstr return false } -// performClientSideApplyMigration performs a client-side-apply using the specified field manager. -// This moves the 'last-applied-configuration' field to be managed by the specified manager. -// The next time server-side apply is performed, kubernetes automatically migrates all fields from the manager -// that owns 'last-applied-configuration' to the manager that uses server-side apply. This will remove the -// specified manager from the resources managed fields. 'kubectl-client-side-apply' is used as the default manager. -func (sc *syncContext) performClientSideApplyMigration(targetObj *unstructured.Unstructured, fieldManager string) error { - sc.log.WithValues("resource", kubeutil.GetResourceKey(targetObj)).V(1).Info("Performing client-side apply migration step") +// performCSAUpgradeMigration uses the csaupgrade package to migrate managed fields +// from a client-side apply manager (operation: Update) to the server-side apply manager. +// This directly patches the managedFields to transfer field ownership, avoiding the need +// to write the last-applied-configuration annotation (which has a 262KB size limit). +// This is the primary method for CSA to SSA migration in ArgoCD. +func (sc *syncContext) performCSAUpgradeMigration(liveObj *unstructured.Unstructured, csaFieldManager string) error { + sc.log.WithValues("resource", kubeutil.GetResourceKey(liveObj)).V(1).Info( + "Performing csaupgrade-based migration") - // Apply with the specified manager to set up the migration - _, err := sc.resourceOps.ApplyResource( - context.TODO(), - targetObj, - cmdutil.DryRunNone, - false, - false, - false, - fieldManager, - ) + // Get the dynamic resource interface for the live object + gvk := liveObj.GroupVersionKind() + apiResource, err := kubeutil.ServerResourceForGroupVersionKind(sc.disco, gvk, "patch") if err != nil { - return fmt.Errorf("failed to perform client-side apply migration on manager %s: %w", fieldManager, err) + return fmt.Errorf("failed to get api resource for %s: %w", gvk, err) } + res := kubeutil.ToGroupVersionResource(gvk.GroupVersion().String(), apiResource) + resIf := kubeutil.ToResourceInterface(sc.dynamicIf, apiResource, res, liveObj.GetNamespace()) - return nil + // Use retry to handle conflicts if managed fields changed between reconciliation and now + //nolint:wrapcheck // error is wrapped inside the retry function + return retry.RetryOnConflict(retry.DefaultRetry, func() error { + // Fetch fresh object to get current managed fields state + freshObj, getErr := resIf.Get(context.TODO(), liveObj.GetName(), metav1.GetOptions{}) + if getErr != nil { + return fmt.Errorf("failed to get fresh object for CSA migration: %w", getErr) + } + + // Check if migration is still needed with fresh state + if !sc.needsClientSideApplyMigration(freshObj, csaFieldManager) { + sc.log.WithValues("resource", kubeutil.GetResourceKey(liveObj)).V(1).Info( + "CSA migration no longer needed") + return nil + } + + // Generate the migration patch using the csaupgrade package + // This unions the CSA manager's fields into the SSA manager and removes the CSA manager entry + patchData, patchErr := csaupgrade.UpgradeManagedFieldsPatch( + freshObj, + sets.New(csaFieldManager), + sc.serverSideApplyManager, + ) + if patchErr != nil { + return fmt.Errorf("failed to generate csaupgrade migration patch: %w", patchErr) + } + if patchData == nil { + // No migration needed + return nil + } + + // Apply the migration patch to transfer field ownership. + _, patchErr = resIf.Patch(context.TODO(), liveObj.GetName(), types.JSONPatchType, patchData, metav1.PatchOptions{}) + if patchErr != nil { + if apierrors.IsConflict(patchErr) { + sc.log.WithValues("resource", kubeutil.GetResourceKey(liveObj)).V(1).Info( + "Retrying CSA migration due to conflict") + } + // Return the error unmodified so RetryOnConflict can identify conflicts correctly. + return patchErr + } + + sc.log.WithValues("resource", kubeutil.GetResourceKey(liveObj)).V(1).Info( + "Successfully migrated managed fields using csaupgrade") + return nil + }) } func (sc *syncContext) applyObject(t *syncTask, dryRun, validate bool) (common.ResultCode, string) { @@ -1277,11 +1338,14 @@ func (sc *syncContext) applyObject(t *syncTask, dryRun, validate bool) (common.R serverSideApply := sc.shouldUseServerSideApply(t.targetObj, dryRun) // Check if we need to perform client-side apply migration for server-side apply + // Perform client-side apply migration for server-side apply + // This uses csaupgrade to directly patch managedFields, transferring ownership + // from CSA managers (operation: Update) to the SSA manager (argocd-controller) if serverSideApply && !dryRun && sc.enableClientSideApplyMigration { if sc.needsClientSideApplyMigration(t.liveObj, sc.clientSideApplyMigrationManager) { - err = sc.performClientSideApplyMigration(t.targetObj, sc.clientSideApplyMigrationManager) + err = sc.performCSAUpgradeMigration(t.liveObj, sc.clientSideApplyMigrationManager) if err != nil { - return common.ResultCodeSyncFailed, fmt.Sprintf("Failed to perform client-side apply migration: %v", err) + return common.ResultCodeSyncFailed, fmt.Sprintf("Failed to perform client-side apply migration for %s: %v", kubeutil.GetResourceKey(t.liveObj), err) } } } @@ -1487,21 +1551,12 @@ func (sc *syncContext) runTasks(tasks syncTasks, dryRun bool) runState { // prune first { if !sc.pruneConfirmed { - var resources []string for _, task := range pruneTasks { if resourceutil.HasAnnotationOption(task.liveObj, common.AnnotationSyncOptions, common.SyncOptionPruneRequireConfirm) { - resources = append(resources, fmt.Sprintf("%s/%s/%s", task.obj().GetAPIVersion(), task.obj().GetKind(), task.name())) + sc.log.WithValues("task", task).Info("Prune requires confirmation") + return pending } } - if len(resources) > 0 { - sc.log.WithValues("resources", resources).Info("Prune requires confirmation") - andMessage := "" - if len(resources) > 1 { - andMessage = fmt.Sprintf(" and %d more resources", len(resources)-1) - } - sc.message = fmt.Sprintf("Waiting for pruning confirmation of %s%s", resources[0], andMessage) - return pending - } } ss := newStateSync(state) diff --git a/gitops-engine/pkg/sync/sync_context_test.go b/gitops-engine/pkg/sync/sync_context_test.go index f5905d8e0f..b8ec47aff1 100644 --- a/gitops-engine/pkg/sync/sync_context_test.go +++ b/gitops-engine/pkg/sync/sync_context_test.go @@ -28,13 +28,13 @@ import ( testcore "k8s.io/client-go/testing" "k8s.io/klog/v2/textlogger" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/health" - synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/sync/hook" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + synccommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/kubetest" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func newTestSyncCtx(getResourceFunc *func(ctx context.Context, config *rest.Config, gvk schema.GroupVersionKind, name string, namespace string) (*unstructured.Unstructured, error), opts ...SyncOpt) *syncContext { @@ -551,7 +551,7 @@ func TestSync_ApplyOutOfSyncOnly_ClusterResources(t *testing.T) { // spec.destination.namespace is set for all resources that does not have a namespace set, irrespective of whether // the resource is cluster scoped or namespace scoped. // - // Refer to https://github.com/argoproj/gitops-engine/blob/8007df5f6c5dd78a1a8cef73569468ce4d83682c/pkg/sync/sync_context.go#L827-L833 + // Refer to https://github.com/argoproj/argo-cd/gitops-engine/blob/8007df5f6c5dd78a1a8cef73569468ce4d83682c/pkg/sync/sync_context.go#L827-L833 ns2Target.SetNamespace("ns-2") syncCtx := newTestSyncCtx(nil, WithResourceModificationChecker(true, diffResultListClusterResource())) @@ -850,6 +850,33 @@ func TestDoNotPrunePruneFalse(t *testing.T) { assert.Equal(t, synccommon.OperationSucceeded, phase) } +func TestPruneConfirm(t *testing.T) { + syncCtx := newTestSyncCtx(nil, WithOperationSettings(false, true, false, false)) + pod := testingutils.NewPod() + pod.SetAnnotations(map[string]string{synccommon.AnnotationSyncOptions: "Prune=confirm"}) + pod.SetNamespace(testingutils.FakeArgoCDNamespace) + syncCtx.resources = groupResources(ReconciliationResult{ + Live: []*unstructured.Unstructured{pod}, + Target: []*unstructured.Unstructured{nil}, + }) + + syncCtx.Sync() + phase, msg, resources := syncCtx.GetState() + + assert.Equal(t, synccommon.OperationRunning, phase) + assert.Empty(t, resources) + assert.Equal(t, "waiting for pruning confirmation of /Pod/my-pod", msg) + + syncCtx.pruneConfirmed = true + syncCtx.Sync() + + phase, _, resources = syncCtx.GetState() + assert.Equal(t, synccommon.OperationSucceeded, phase) + assert.Len(t, resources, 1) + assert.Equal(t, synccommon.ResultCodePruned, resources[0].Status) + assert.Equal(t, "pruned", resources[0].Message) +} + // // make sure Validate=false means we don't validate func TestSyncOptionValidate(t *testing.T) { tests := []struct { @@ -2574,6 +2601,21 @@ func TestNeedsClientSideApplyMigration(t *testing.T) { }(), expected: true, }, + { + name: "CSA manager with Apply operation should not need migration", + liveObj: func() *unstructured.Unstructured { + obj := testingutils.NewPod() + obj.SetManagedFields([]metav1.ManagedFieldsEntry{ + { + Manager: "kubectl-client-side-apply", + Operation: metav1.ManagedFieldsOperationApply, + FieldsV1: &metav1.FieldsV1{Raw: []byte(`{"f:metadata":{"f:labels":{}}}`)}, + }, + }) + return obj + }(), + expected: false, + }, } for _, tt := range tests { @@ -2584,6 +2626,129 @@ func TestNeedsClientSideApplyMigration(t *testing.T) { } } +func TestPerformCSAUpgradeMigration_NoMigrationNeeded(t *testing.T) { + // Create a fake dynamic client with a Pod scheme + scheme := runtime.NewScheme() + _ = corev1.AddToScheme(scheme) + + // Object with only SSA manager (operation: Apply), no CSA manager (operation: Update) + obj := testingutils.NewPod() + obj.SetNamespace(testingutils.FakeArgoCDNamespace) + obj.SetManagedFields([]metav1.ManagedFieldsEntry{ + { + Manager: "argocd-controller", + Operation: metav1.ManagedFieldsOperationApply, + FieldsV1: &metav1.FieldsV1{Raw: []byte(`{"f:spec":{"f:containers":{}}}`)}, + }, + }) + + // Create fake dynamic client with the object + dynamicClient := fake.NewSimpleDynamicClient(scheme, obj) + + syncCtx := newTestSyncCtx(nil) + syncCtx.serverSideApplyManager = "argocd-controller" + syncCtx.dynamicIf = dynamicClient + syncCtx.disco = &fakedisco.FakeDiscovery{ + Fake: &testcore.Fake{Resources: testingutils.StaticAPIResources}, + } + + // Should return nil (no error) because there's no CSA manager to migrate + err := syncCtx.performCSAUpgradeMigration(obj, "kubectl-client-side-apply") + assert.NoError(t, err) +} + +func TestPerformCSAUpgradeMigration_WithCSAManager(t *testing.T) { + // Create a fake dynamic client with a Pod scheme + scheme := runtime.NewScheme() + _ = corev1.AddToScheme(scheme) + + // Create the live object with a CSA manager (operation: Update) + obj := testingutils.NewPod() + obj.SetNamespace(testingutils.FakeArgoCDNamespace) + obj.SetManagedFields([]metav1.ManagedFieldsEntry{ + { + Manager: "kubectl-client-side-apply", + Operation: metav1.ManagedFieldsOperationUpdate, + FieldsV1: &metav1.FieldsV1{Raw: []byte(`{"f:metadata":{"f:labels":{"f:app":{}}}}`)}, + }, + }) + + // Create fake dynamic client with the object + dynamicClient := fake.NewSimpleDynamicClient(scheme, obj) + + syncCtx := newTestSyncCtx(nil) + syncCtx.serverSideApplyManager = "argocd-controller" + syncCtx.dynamicIf = dynamicClient + syncCtx.disco = &fakedisco.FakeDiscovery{ + Fake: &testcore.Fake{Resources: testingutils.StaticAPIResources}, + } + + // Perform the migration + err := syncCtx.performCSAUpgradeMigration(obj, "kubectl-client-side-apply") + assert.NoError(t, err) + + // Get the updated object from the fake client + gvr := schema.GroupVersionResource{Group: "", Version: "v1", Resource: "pods"} + updatedObj, err := dynamicClient.Resource(gvr).Namespace(obj.GetNamespace()).Get(context.TODO(), obj.GetName(), metav1.GetOptions{}) + require.NoError(t, err) + + // Verify the CSA manager (operation: Update) no longer exists + managedFields := updatedObj.GetManagedFields() + for _, mf := range managedFields { + if mf.Manager == "kubectl-client-side-apply" && mf.Operation == metav1.ManagedFieldsOperationUpdate { + t.Errorf("CSA manager 'kubectl-client-side-apply' with operation Update should have been removed, but still exists") + } + } +} + +func TestPerformCSAUpgradeMigration_ConflictRetry(t *testing.T) { + // This test verifies that when a 409 Conflict occurs on the patch because + // another actor modified the object between Get and Patch, changing the resourceVersion, + // the retry.RetryOnConflict loop retries and eventually succeeds. + scheme := runtime.NewScheme() + _ = corev1.AddToScheme(scheme) + + obj := testingutils.NewPod() + obj.SetNamespace(testingutils.FakeArgoCDNamespace) + obj.SetManagedFields([]metav1.ManagedFieldsEntry{ + { + Manager: "kubectl-client-side-apply", + Operation: metav1.ManagedFieldsOperationUpdate, + FieldsV1: &metav1.FieldsV1{Raw: []byte(`{"f:metadata":{"f:labels":{"f:app":{}}}}`)}, + }, + }) + + dynamicClient := fake.NewSimpleDynamicClient(scheme, obj) + + // Simulate a conflict on the first patch attempt where another + // controller modified the object between our Get and Patch, bumping resourceVersion). + // The second attempt should succeed. + patchAttempt := 0 + dynamicClient.PrependReactor("patch", "*", func(action testcore.Action) (handled bool, ret runtime.Object, err error) { + patchAttempt++ + if patchAttempt == 1 { + // First attempt: simulate 409 Conflict (resourceVersion mismatch) + return true, nil, apierrors.NewConflict( + schema.GroupResource{Group: "", Resource: "pods"}, + obj.GetName(), + errors.New("the object has been modified; please apply your changes to the latest version"), + ) + } + return false, nil, nil + }) + + syncCtx := newTestSyncCtx(nil) + syncCtx.serverSideApplyManager = "argocd-controller" + syncCtx.dynamicIf = dynamicClient + syncCtx.disco = &fakedisco.FakeDiscovery{ + Fake: &testcore.Fake{Resources: testingutils.StaticAPIResources}, + } + + err := syncCtx.performCSAUpgradeMigration(obj, "kubectl-client-side-apply") + assert.NoError(t, err, "Migration should succeed after retrying on conflict") + assert.Equal(t, 2, patchAttempt, "Expected exactly 2 patch attempts (1 conflict + 1 success)") +} + func diffResultListClusterResource() *diff.DiffResultList { ns1 := testingutils.NewNamespace() ns1.SetName("ns-1") diff --git a/gitops-engine/pkg/sync/sync_phase.go b/gitops-engine/pkg/sync/sync_phase.go index ee0d3cade5..51aa77c0b4 100644 --- a/gitops-engine/pkg/sync/sync_phase.go +++ b/gitops-engine/pkg/sync/sync_phase.go @@ -3,8 +3,8 @@ package sync import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" ) func syncPhases(obj *unstructured.Unstructured) []common.SyncPhase { diff --git a/gitops-engine/pkg/sync/sync_phase_test.go b/gitops-engine/pkg/sync/sync_phase_test.go index 0945ff6650..1ab7d41508 100644 --- a/gitops-engine/pkg/sync/sync_phase_test.go +++ b/gitops-engine/pkg/sync/sync_phase_test.go @@ -6,8 +6,8 @@ import ( "github.com/stretchr/testify/assert" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func TestSyncPhaseNone(t *testing.T) { diff --git a/gitops-engine/pkg/sync/sync_task.go b/gitops-engine/pkg/sync/sync_task.go index 81f0c53232..492991f69d 100644 --- a/gitops-engine/pkg/sync/sync_task.go +++ b/gitops-engine/pkg/sync/sync_task.go @@ -6,10 +6,10 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" - "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/sync/hook" - "github.com/argoproj/gitops-engine/pkg/sync/syncwaves" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/syncwaves" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) // syncTask holds the live and target object. At least one should be non-nil. A targetObj of nil @@ -157,7 +157,7 @@ func (t *syncTask) resourceKey() kube.ResourceKey { // To prevent resource lookup issues, we always rely on the namespace of the live object if it is available. // This logic will work for both cluster scoped and namespace scoped resources. // - // Refer to https://github.com/argoproj/gitops-engine/blob/8007df5f6c5dd78a1a8cef73569468ce4d83682c/pkg/sync/sync_context.go#L827-L833 + // Refer to https://github.com/argoproj/argo-cd/gitops-engine/blob/8007df5f6c5dd78a1a8cef73569468ce4d83682c/pkg/sync/sync_context.go#L827-L833 resourceKey.Namespace = t.liveObj.GetNamespace() } return resourceKey diff --git a/gitops-engine/pkg/sync/sync_task_test.go b/gitops-engine/pkg/sync/sync_task_test.go index de946f833e..600f0ee9fa 100644 --- a/gitops-engine/pkg/sync/sync_task_test.go +++ b/gitops-engine/pkg/sync/sync_task_test.go @@ -6,8 +6,8 @@ import ( "github.com/stretchr/testify/assert" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func Test_syncTask_hookType(t *testing.T) { diff --git a/gitops-engine/pkg/sync/sync_tasks.go b/gitops-engine/pkg/sync/sync_tasks.go index 813533a231..d17ab595f8 100644 --- a/gitops-engine/pkg/sync/sync_tasks.go +++ b/gitops-engine/pkg/sync/sync_tasks.go @@ -7,8 +7,8 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) // kindOrder represents the correct order of Kubernetes resources within a manifest diff --git a/gitops-engine/pkg/sync/sync_tasks_test.go b/gitops-engine/pkg/sync/sync_tasks_test.go index 18135beab2..3eb8d58f8e 100644 --- a/gitops-engine/pkg/sync/sync_tasks_test.go +++ b/gitops-engine/pkg/sync/sync_tasks_test.go @@ -8,8 +8,8 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func Test_syncTasks_kindOrder(t *testing.T) { diff --git a/gitops-engine/pkg/sync/syncwaves/waves.go b/gitops-engine/pkg/sync/syncwaves/waves.go index 2004335714..ef417beaf8 100644 --- a/gitops-engine/pkg/sync/syncwaves/waves.go +++ b/gitops-engine/pkg/sync/syncwaves/waves.go @@ -5,8 +5,8 @@ import ( "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" - "github.com/argoproj/gitops-engine/pkg/sync/common" - helmhook "github.com/argoproj/gitops-engine/pkg/sync/hook/helm" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + helmhook "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook/helm" ) func Wave(obj *unstructured.Unstructured) int { diff --git a/gitops-engine/pkg/sync/syncwaves/waves_test.go b/gitops-engine/pkg/sync/syncwaves/waves_test.go index 2fadf4fd7d..044ca6c54f 100644 --- a/gitops-engine/pkg/sync/syncwaves/waves_test.go +++ b/gitops-engine/pkg/sync/syncwaves/waves_test.go @@ -5,7 +5,7 @@ import ( "github.com/stretchr/testify/assert" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" ) func TestWave(t *testing.T) { diff --git a/gitops-engine/pkg/utils/kube/convert.go b/gitops-engine/pkg/utils/kube/convert.go index eb07fd35b9..d0d34c2c68 100644 --- a/gitops-engine/pkg/utils/kube/convert.go +++ b/gitops-engine/pkg/utils/kube/convert.go @@ -7,7 +7,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime/schema" - "github.com/argoproj/gitops-engine/pkg/utils/kube/scheme" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/scheme" ) func convertToVersionWithScheme(obj *unstructured.Unstructured, group string, version string) (*unstructured.Unstructured, error) { diff --git a/gitops-engine/pkg/utils/kube/convert_test.go b/gitops-engine/pkg/utils/kube/convert_test.go index 43e6ebe38c..3c1ae05db1 100644 --- a/gitops-engine/pkg/utils/kube/convert_test.go +++ b/gitops-engine/pkg/utils/kube/convert_test.go @@ -3,7 +3,7 @@ package kube import ( "testing" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/gitops-engine/pkg/utils/kube/ctl.go b/gitops-engine/pkg/utils/kube/ctl.go index 33bf7c3757..fcefe574aa 100644 --- a/gitops-engine/pkg/utils/kube/ctl.go +++ b/gitops-engine/pkg/utils/kube/ctl.go @@ -19,9 +19,9 @@ import ( "k8s.io/kube-openapi/pkg/util/proto" "k8s.io/kubectl/pkg/util/openapi" - "github.com/argoproj/gitops-engine/pkg/diff" - utils "github.com/argoproj/gitops-engine/pkg/utils/io" - "github.com/argoproj/gitops-engine/pkg/utils/tracing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + utils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/io" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/tracing" ) type CleanupFunc func() diff --git a/gitops-engine/pkg/utils/kube/ctl_test.go b/gitops-engine/pkg/utils/kube/ctl_test.go index 11bb6c786c..f53dff914d 100644 --- a/gitops-engine/pkg/utils/kube/ctl_test.go +++ b/gitops-engine/pkg/utils/kube/ctl_test.go @@ -12,8 +12,8 @@ import ( "github.com/stretchr/testify/assert" "k8s.io/klog/v2/textlogger" - testingutils "github.com/argoproj/gitops-engine/pkg/utils/testing" - "github.com/argoproj/gitops-engine/pkg/utils/tracing" + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/tracing" ) var _ Kubectl = &KubectlCmd{} diff --git a/gitops-engine/pkg/utils/kube/kubetest/mock.go b/gitops-engine/pkg/utils/kube/kubetest/mock.go index 2faa669bf5..22ae71e032 100644 --- a/gitops-engine/pkg/utils/kube/kubetest/mock.go +++ b/gitops-engine/pkg/utils/kube/kubetest/mock.go @@ -13,7 +13,7 @@ import ( "k8s.io/client-go/rest" "k8s.io/kubectl/pkg/util/openapi" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) type KubectlOutput struct { diff --git a/gitops-engine/pkg/utils/kube/kubetest/mock_resource_operations.go b/gitops-engine/pkg/utils/kube/kubetest/mock_resource_operations.go index ae93c7a957..b3b6804000 100644 --- a/gitops-engine/pkg/utils/kube/kubetest/mock_resource_operations.go +++ b/gitops-engine/pkg/utils/kube/kubetest/mock_resource_operations.go @@ -11,7 +11,7 @@ import ( "k8s.io/client-go/rest" cmdutil "k8s.io/kubectl/pkg/cmd/util" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" ) type MockResourceOps struct { diff --git a/gitops-engine/pkg/utils/kube/resource_ops.go b/gitops-engine/pkg/utils/kube/resource_ops.go index 5782a3b465..c5fc805f24 100644 --- a/gitops-engine/pkg/utils/kube/resource_ops.go +++ b/gitops-engine/pkg/utils/kube/resource_ops.go @@ -32,9 +32,9 @@ import ( "k8s.io/kubectl/pkg/scheme" "k8s.io/kubectl/pkg/util/openapi" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/utils/io" - "github.com/argoproj/gitops-engine/pkg/utils/tracing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/io" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/tracing" ) // ResourceOperations provides methods to manage k8s resources @@ -603,11 +603,24 @@ func (k *kubectlResourceOperations) authReconcile(ctx context.Context, obj *unst if err != nil { return "", fmt.Errorf("error creating kube client: %w", err) } + + clusterScoped := obj.GetKind() == "ClusterRole" || obj.GetKind() == "ClusterRoleBinding" + // `kubectl auth reconcile` has a side effect of auto-creating namespaces if it doesn't exist. // See: https://github.com/kubernetes/kubernetes/issues/71185. This is behavior which we do // not want. We need to check if the namespace exists, before know if it is safe to run this // command. Skip this for dryRuns. - if dryRunStrategy == cmdutil.DryRunNone && obj.GetNamespace() != "" { + + // When an Argo CD Application specifies destination.namespace, that namespace + // may be propagated even for cluster-scoped resources. Passing a namespace in + // this case causes `kubectl auth reconcile` to fail with: + // "namespaces not found" + // or may trigger unintended namespace handling behavior. + // Therefore, we skip namespace existence checks for cluster-scoped RBAC + // resources and allow reconcile to run without a namespace. + // + // https://github.com/argoproj/argo-cd/issues/24833 + if dryRunStrategy == cmdutil.DryRunNone && obj.GetNamespace() != "" && !clusterScoped { _, err = kubeClient.CoreV1().Namespaces().Get(ctx, obj.GetNamespace(), metav1.GetOptions{}) if err != nil { return "", fmt.Errorf("error getting namespace %s: %w", obj.GetNamespace(), err) diff --git a/gitops-engine/pkg/utils/kube/resource_ops_test.go b/gitops-engine/pkg/utils/kube/resource_ops_test.go new file mode 100644 index 0000000000..29fa2899f2 --- /dev/null +++ b/gitops-engine/pkg/utils/kube/resource_ops_test.go @@ -0,0 +1,75 @@ +package kube + +import ( + "context" + "encoding/json" + "fmt" + "net/http" + "net/http/httptest" + "testing" + + testingutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" + "github.com/stretchr/testify/assert" + "k8s.io/apimachinery/pkg/api/errors" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/cli-runtime/pkg/genericclioptions" + "k8s.io/client-go/rest" + cmdutil "k8s.io/kubectl/pkg/cmd/util" +) + +func TestAuthReconcileWithMissingNamespace(t *testing.T) { + namespace := "test-ns" + fakeBearer := "fake-bearer" + + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + status := &metav1.Status{ + Status: "Failure", + Message: fmt.Sprintf("namespace \"%s\" not found", namespace), + Reason: metav1.StatusReasonNotFound, + Code: http.StatusNotFound, + } + w.WriteHeader(http.StatusNotFound) + json.NewEncoder(w).Encode(status) + })) + defer server.Close() + + kubeConfigFlags := genericclioptions.NewConfigFlags(true) + kubeConfigFlags.Namespace = &namespace + kubeConfigFlags.APIServer = &server.URL + kubeConfigFlags.BearerToken = &fakeBearer + matchFlags := cmdutil.NewMatchVersionFlags(kubeConfigFlags) + fact := cmdutil.NewFactory(matchFlags) + + config := &rest.Config{Host: server.URL} + k := &kubectlResourceOperations{ + config: config, + fact: fact, + } + + role := testingutils.NewRole() + role.SetNamespace(namespace) + + _, err := k.authReconcile(context.Background(), role, "/dev/null", cmdutil.DryRunNone) + assert.Error(t, err) + assert.True(t, errors.IsNotFound(err), "returned error wasn't not found") + + roleBinding := testingutils.NewRoleBinding() + roleBinding.SetNamespace(namespace) + + _, err = k.authReconcile(context.Background(), roleBinding, "/dev/null", cmdutil.DryRunNone) + assert.Error(t, err) + assert.True(t, errors.IsNotFound(err), "returned error wasn't not found") + + clusterRole := testingutils.NewClusterRole() + clusterRole.SetNamespace(namespace) + + _, err = k.authReconcile(context.Background(), clusterRole, "/dev/null", cmdutil.DryRunNone) + assert.NoError(t, err) + + clusterRoleBinding := testingutils.NewClusterRoleBinding() + clusterRoleBinding.SetNamespace(namespace) + + _, err = k.authReconcile(context.Background(), clusterRoleBinding, "/dev/null", cmdutil.DryRunNone) + assert.NoError(t, err) +} diff --git a/gitops-engine/pkg/utils/testing/testdata.go b/gitops-engine/pkg/utils/testing/testdata.go index 5ea16e8cd1..8fc91be939 100644 --- a/gitops-engine/pkg/utils/testing/testdata.go +++ b/gitops-engine/pkg/utils/testing/testdata.go @@ -97,3 +97,55 @@ metadata: name: testnamespace spec:`) } + +func NewRole() *unstructured.Unstructured { + return Unstructured(`apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: my-role +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"]`) +} + +func NewRoleBinding() *unstructured.Unstructured { + return Unstructured(`apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: my-role-binding +subjects: +- kind: User + name: user + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: my-role + apiGroup: rbac.authorization.k8s.io`) +} + +func NewClusterRole() *unstructured.Unstructured { + return Unstructured(`apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: my-cluster-role +rules: +- apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"]`) +} + +func NewClusterRoleBinding() *unstructured.Unstructured { + return Unstructured(`apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: my-cluster-role-binding +subjects: +- kind: Group + name: group + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: my-cluster-role + apiGroup: rbac.authorization.k8s.io`) +} diff --git a/gitops-engine/pkg/utils/tracing/logging_test.go b/gitops-engine/pkg/utils/tracing/logging_test.go index f9346550f0..80520986ab 100644 --- a/gitops-engine/pkg/utils/tracing/logging_test.go +++ b/gitops-engine/pkg/utils/tracing/logging_test.go @@ -6,7 +6,7 @@ import ( "github.com/go-logr/logr" "go.uber.org/mock/gomock" - "github.com/argoproj/gitops-engine/pkg/utils/tracing/tracer_testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/tracing/tracer_testing" ) func TestLoggingTracer(t *testing.T) { diff --git a/go.mod b/go.mod index 97fd9b2901..8fd4d6e4b5 100644 --- a/go.mod +++ b/go.mod @@ -1,9 +1,9 @@ module github.com/argoproj/argo-cd/v3 -go 1.25.5 +go 1.26.0 require ( - code.gitea.io/sdk/gitea v0.22.1 + code.gitea.io/sdk/gitea v0.23.2 dario.cat/mergo v1.0.2 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 @@ -11,13 +11,13 @@ require ( github.com/Masterminds/semver/v3 v3.4.0 github.com/Masterminds/sprig/v3 v3.3.0 github.com/TomOnTime/utfutil v1.0.0 - github.com/alicebob/miniredis/v2 v2.36.0 - github.com/argoproj/gitops-engine v0.7.1-0.20250908182407-97ad5b59a627 - github.com/argoproj/notifications-engine v0.5.1-0.20260119155007-a23b5827d630 + github.com/alicebob/miniredis/v2 v2.36.1 + github.com/argoproj/argo-cd/gitops-engine v0.7.1-0.20250908182407-97ad5b59a627 + github.com/argoproj/notifications-engine v0.5.1-0.20260213231747-1dbe3de712f8 github.com/argoproj/pkg v0.13.6 github.com/argoproj/pkg/v2 v2.0.1 github.com/aws/aws-sdk-go v1.55.7 - github.com/bmatcuk/doublestar/v4 v4.9.2 + github.com/bmatcuk/doublestar/v4 v4.10.0 github.com/bombsimon/logrusr/v4 v4.1.0 github.com/bradleyfalzon/ghinstallation/v2 v2.17.0 github.com/casbin/casbin/v2 v2.135.0 @@ -30,7 +30,7 @@ require ( github.com/dlclark/regexp2 v1.11.5 github.com/dustin/go-humanize v1.0.1 github.com/evanphx/json-patch v5.9.11+incompatible - github.com/expr-lang/expr v1.17.7 + github.com/expr-lang/expr v1.17.8 github.com/felixge/httpsnoop v1.0.4 github.com/fsnotify/fsnotify v1.9.0 github.com/gfleury/go-bitbucket-v1 v0.0.0-20240917142304-df385efaac68 @@ -45,7 +45,7 @@ require ( github.com/gobwas/glob v0.2.3 github.com/gogits/go-gogs-client v0.0.0-20210131175652-1d7215cd8d85 github.com/gogo/protobuf v1.3.2 - github.com/golang-jwt/jwt/v5 v5.3.0 + github.com/golang-jwt/jwt/v5 v5.3.1 github.com/golang/protobuf v1.5.4 github.com/google/btree v1.1.3 github.com/google/gnostic-models v0.7.0 // indirect @@ -66,7 +66,7 @@ require ( github.com/jarcoal/httpmock v1.4.1 github.com/jeremywohl/flatten v1.0.2-0.20211013061545-07e4a09fb8e4 github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 - github.com/ktrysmt/go-bitbucket v0.9.88 + github.com/ktrysmt/go-bitbucket v0.9.91 github.com/mattn/go-isatty v0.0.20 github.com/mattn/go-zglob v0.0.6 github.com/microsoft/azure-devops-go-api/azuredevops/v7 v7.1.1-0.20241014080628-3045bdf43455 @@ -78,7 +78,7 @@ require ( github.com/prometheus/client_golang v1.23.2 github.com/prometheus/client_model v0.6.2 github.com/r3labs/diff/v3 v3.0.2 - github.com/redis/go-redis/v9 v9.17.2 + github.com/redis/go-redis/v9 v9.18.0 github.com/robfig/cron/v3 v3.0.2-0.20210106135023-bc59245fe10e github.com/sirupsen/logrus v1.9.4 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 @@ -88,19 +88,21 @@ require ( github.com/stretchr/testify v1.11.1 github.com/valyala/fasttemplate v1.2.2 github.com/yuin/gopher-lua v1.1.1 - gitlab.com/gitlab-org/api/client-go v1.16.0 + gitlab.com/gitlab-org/api/client-go v1.39.0 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.64.0 + go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 go.opentelemetry.io/otel v1.39.0 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.39.0 go.opentelemetry.io/otel/sdk v1.39.0 - golang.org/x/crypto v0.47.0 - golang.org/x/net v0.49.0 - golang.org/x/oauth2 v0.34.0 + go.opentelemetry.io/otel/trace v1.39.0 + golang.org/x/crypto v0.48.0 + golang.org/x/net v0.50.0 + golang.org/x/oauth2 v0.35.0 golang.org/x/sync v0.19.0 - golang.org/x/term v0.39.0 + golang.org/x/term v0.40.0 golang.org/x/time v0.14.0 google.golang.org/genproto/googleapis/api v0.0.0-20251202230838-ff82c1b0f217 - google.golang.org/grpc v1.78.0 + google.golang.org/grpc v1.79.1 google.golang.org/protobuf v1.36.11 gopkg.in/yaml.v2 v2.4.0 gopkg.in/yaml.v3 v3.0.1 @@ -116,7 +118,7 @@ require ( layeh.com/gopher-json v0.0.0-20190114024228-97fed8db8427 oras.land/oras-go/v2 v2.6.0 sigs.k8s.io/controller-runtime v0.21.0 - sigs.k8s.io/structured-merge-diff/v6 v6.3.1-0.20251003215857-446d8398e19c + sigs.k8s.io/structured-merge-diff/v6 v6.3.2 sigs.k8s.io/yaml v1.6.0 ) @@ -144,20 +146,21 @@ require ( github.com/PagerDuty/go-pagerduty v1.8.0 // indirect github.com/ProtonMail/go-crypto v1.1.6 // indirect github.com/RocketChat/Rocket.Chat.Go.SDK v0.0.0-20240116134246-a8cbe886bab0 // indirect - github.com/aws/aws-sdk-go-v2 v1.36.3 // indirect - github.com/aws/aws-sdk-go-v2/config v1.29.9 // indirect - github.com/aws/aws-sdk-go-v2/credentials v1.17.62 // indirect - github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 // indirect - github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 // indirect - github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 // indirect - github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 // indirect - github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 // indirect + github.com/aws/aws-sdk-go-v2 v1.41.1 + github.com/aws/aws-sdk-go-v2/config v1.32.9 + github.com/aws/aws-sdk-go-v2/credentials v1.19.9 + github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 // indirect + github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 // indirect + github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 // indirect + github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 // indirect - github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 // indirect - github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 // indirect - github.com/aws/smithy-go v1.22.2 // indirect + github.com/aws/aws-sdk-go-v2/service/sso v1.30.10 // indirect + github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.14 // indirect + github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 + github.com/aws/smithy-go v1.24.0 github.com/beorn7/perks v1.0.1 // indirect github.com/blang/semver/v4 v4.0.0 // indirect github.com/cenkalti/backoff/v4 v4.3.0 // indirect @@ -244,6 +247,9 @@ require ( github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect + github.com/nats-io/nats.go v1.43.0 // indirect + github.com/nats-io/nkeys v0.4.11 // indirect + github.com/nats-io/nuid v1.0.1 // indirect github.com/oklog/ulid v1.3.1 // indirect github.com/olekukonko/cat v0.0.0-20250911104152-50322a0618f6 // indirect github.com/olekukonko/errors v1.1.0 // indirect @@ -273,17 +279,15 @@ require ( github.com/xlab/treeprint v1.2.0 // indirect go.mongodb.org/mongo-driver v1.17.6 // indirect go.opentelemetry.io/auto/sdk v1.2.1 // indirect - go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.39.0 // indirect go.opentelemetry.io/otel/metric v1.39.0 // indirect - go.opentelemetry.io/otel/trace v1.39.0 // indirect go.opentelemetry.io/proto/otlp v1.9.0 // indirect go.yaml.in/yaml/v2 v2.4.2 // indirect go.yaml.in/yaml/v3 v3.0.4 // indirect - golang.org/x/mod v0.31.0 // indirect - golang.org/x/sys v0.40.0 // indirect - golang.org/x/text v0.33.0 // indirect - golang.org/x/tools v0.40.0 // indirect + golang.org/x/mod v0.32.0 // indirect + golang.org/x/sys v0.41.0 // indirect + golang.org/x/text v0.34.0 // indirect + golang.org/x/tools v0.41.0 // indirect golang.org/x/tools/go/expect v0.1.1-deprecated // indirect golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated // indirect gomodules.xyz/envconfig v1.3.1-0.20190308184047-426f31af0d45 // indirect @@ -312,6 +316,8 @@ require ( sigs.k8s.io/randfill v1.0.0 // indirect ) +require go.uber.org/atomic v1.11.0 // indirect + replace ( github.com/golang/protobuf => github.com/golang/protobuf v1.5.4 github.com/grpc-ecosystem/grpc-gateway => github.com/grpc-ecosystem/grpc-gateway v1.16.0 @@ -357,4 +363,4 @@ replace ( k8s.io/sample-controller => k8s.io/sample-controller v0.34.0 ) -replace github.com/argoproj/gitops-engine => ./gitops-engine +replace github.com/argoproj/argo-cd/gitops-engine => ./gitops-engine diff --git a/go.sum b/go.sum index 3c9f21886e..3373e63db0 100644 --- a/go.sum +++ b/go.sum @@ -37,8 +37,8 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk= cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs= cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0= -code.gitea.io/sdk/gitea v0.22.1 h1:7K05KjRORyTcTYULQ/AwvlVS6pawLcWyXZcTr7gHFyA= -code.gitea.io/sdk/gitea v0.22.1/go.mod h1:yyF5+GhljqvA30sRDreoyHILruNiy4ASufugzYg0VHM= +code.gitea.io/sdk/gitea v0.23.2 h1:iJB1FDmLegwfwjX8gotBDHdPSbk/ZR8V9VmEJaVsJYg= +code.gitea.io/sdk/gitea v0.23.2/go.mod h1:yyF5+GhljqvA30sRDreoyHILruNiy4ASufugzYg0VHM= cyphar.com/go-pathrs v0.2.1 h1:9nx1vOgwVvX1mNBWDu93+vaceedpbsDqo+XuBGL40b8= cyphar.com/go-pathrs v0.2.1/go.mod h1:y8f1EMG7r+hCuFf/rXsKqMJrJAUoADZGNh5/vZPKcGc= dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8= @@ -109,14 +109,14 @@ github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuy github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190717042225-c3de453c63f4/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alecthomas/units v0.0.0-20190924025748-f65c72e2690d/go.mod h1:rBZYJk541a8SKzHPHnH3zbiI+7dagKZ0cgpgrD7Fyho= -github.com/alicebob/miniredis/v2 v2.36.0 h1:yKczg+ez0bQYsG/PrgqtMMmCfl820RPu27kVGjP53eY= -github.com/alicebob/miniredis/v2 v2.36.0/go.mod h1:TcL7YfarKPGDAthEtl5NBeHZfeUQj6OXMm/+iu5cLMM= +github.com/alicebob/miniredis/v2 v2.36.1 h1:Dvc5oAnNOr7BIfPn7tF269U8DvRW1dBG2D5n0WrfYMI= +github.com/alicebob/miniredis/v2 v2.36.1/go.mod h1:TcL7YfarKPGDAthEtl5NBeHZfeUQj6OXMm/+iu5cLMM= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/appscode/go v0.0.0-20191119085241-0887d8ec2ecc/go.mod h1:OawnOmAL4ZX3YaPdN+8HTNwBveT1jMsqP74moa9XUbE= -github.com/argoproj/notifications-engine v0.5.1-0.20260119155007-a23b5827d630 h1:naE5KNRTOALjF5nVIGUHrHU5xjlB8QJJiCu+aISIlSs= -github.com/argoproj/notifications-engine v0.5.1-0.20260119155007-a23b5827d630/go.mod h1:d1RazGXWvKRFv9//rg4MRRR7rbvbE7XLgTSMT5fITTE= +github.com/argoproj/notifications-engine v0.5.1-0.20260213231747-1dbe3de712f8 h1:OGoe2RFv1wuhxHrFcdAC/VW+5HUkRI+1/zf3RGR5LnY= +github.com/argoproj/notifications-engine v0.5.1-0.20260213231747-1dbe3de712f8/go.mod h1:zz+4OVgqmyD0T5whLAPO6k5BGLSop4j32BKHSAe80tM= github.com/argoproj/pkg v0.13.6 h1:36WPD9MNYECHcO1/R1pj6teYspiK7uMQLCgLGft2abM= github.com/argoproj/pkg v0.13.6/go.mod h1:I698DoJBKuvNFaixh4vFl2C88cNIT1WS7KCbz5ewyF8= github.com/argoproj/pkg/v2 v2.0.1 h1:O/gCETzB/3+/hyFL/7d/VM/6pSOIRWIiBOTb2xqAHvc= @@ -126,34 +126,36 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY github.com/aws/aws-sdk-go v1.44.39/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/aws/aws-sdk-go v1.55.7 h1:UJrkFq7es5CShfBwlWAC8DA077vp8PyVbQd3lqLiztE= github.com/aws/aws-sdk-go v1.55.7/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU= -github.com/aws/aws-sdk-go-v2 v1.36.3 h1:mJoei2CxPutQVxaATCzDUjcZEjVRdpsiiXi2o38yqWM= -github.com/aws/aws-sdk-go-v2 v1.36.3/go.mod h1:LLXuLpgzEbD766Z5ECcRmi8AzSwfZItDtmABVkRLGzg= -github.com/aws/aws-sdk-go-v2/config v1.29.9 h1:Kg+fAYNaJeGXp1vmjtidss8O2uXIsXwaRqsQJKXVr+0= -github.com/aws/aws-sdk-go-v2/config v1.29.9/go.mod h1:oU3jj2O53kgOU4TXq/yipt6ryiooYjlkqqVaZk7gY/U= -github.com/aws/aws-sdk-go-v2/credentials v1.17.62 h1:fvtQY3zFzYJ9CfixuAQ96IxDrBajbBWGqjNTCa79ocU= -github.com/aws/aws-sdk-go-v2/credentials v1.17.62/go.mod h1:ElETBxIQqcxej++Cs8GyPBbgMys5DgQPTwo7cUPDKt8= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30 h1:x793wxmUWVDhshP8WW2mlnXuFrO4cOd3HLBroh1paFw= -github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.30/go.mod h1:Jpne2tDnYiFascUEs2AWHJL9Yp7A5ZVy3TNyxaAjD6M= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34 h1:ZK5jHhnrioRkUNOc+hOgQKlUL5JeC3S6JgLxtQ+Rm0Q= -github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.34/go.mod h1:p4VfIceZokChbA9FzMbRGz5OV+lekcVtHlPKEO0gSZY= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34 h1:SZwFm17ZUNNg5Np0ioo/gq8Mn6u9w19Mri8DnJ15Jf0= -github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.34/go.mod h1:dFZsC0BLo346mvKQLWmoJxT+Sjp+qcVR1tRVHQGOH9Q= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3 h1:bIqFDwgGXXN1Kpp99pDOdKMTTb5d2KyU5X/BZxjOkRo= -github.com/aws/aws-sdk-go-v2/internal/ini v1.8.3/go.mod h1:H5O/EsxDWyU+LP/V8i5sm8cxoZgc2fdNR9bxlOFrQTo= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3 h1:eAh2A4b5IzM/lum78bZ590jy36+d/aFLgKF/4Vd1xPE= -github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.3/go.mod h1:0yKJC/kb8sAnmlYa6Zs3QVYqaC8ug2AbnNChv5Ox3uA= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15 h1:dM9/92u2F1JbDaGooxTq18wmmFzbJRfXfVfy96/1CXM= -github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.15/go.mod h1:SwFBy2vjtA0vZbjjaFtfN045boopadnoVPhu4Fv66vY= +github.com/aws/aws-sdk-go-v2 v1.41.1 h1:ABlyEARCDLN034NhxlRUSZr4l71mh+T5KAeGh6cerhU= +github.com/aws/aws-sdk-go-v2 v1.41.1/go.mod h1:MayyLB8y+buD9hZqkCW3kX1AKq07Y5pXxtgB+rRFhz0= +github.com/aws/aws-sdk-go-v2/config v1.32.9 h1:ktda/mtAydeObvJXlHzyGpK1xcsLaP16zfUPDGoW90A= +github.com/aws/aws-sdk-go-v2/config v1.32.9/go.mod h1:U+fCQ+9QKsLW786BCfEjYRj34VVTbPdsLP3CHSYXMOI= +github.com/aws/aws-sdk-go-v2/credentials v1.19.9 h1:sWvTKsyrMlJGEuj/WgrwilpoJ6Xa1+KhIpGdzw7mMU8= +github.com/aws/aws-sdk-go-v2/credentials v1.19.9/go.mod h1:+J44MBhmfVY/lETFiKI+klz0Vym2aCmIjqgClMmW82w= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 h1:I0GyV8wiYrP8XpA70g1HBcQO1JlQxCMTW9npl5UbDHY= +github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17/go.mod h1:tyw7BOl5bBe/oqvoIeECFJjMdzXoa/dfVz3QQ5lgHGA= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17 h1:xOLELNKGp2vsiteLsvLPwxC+mYmO6OZ8PYgiuPJzF8U= +github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.17/go.mod h1:5M5CI3D12dNOtH3/mk6minaRwI2/37ifCURZISxA/IQ= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17 h1:WWLqlh79iO48yLkj1v3ISRNiv+3KdQoZ6JWyfcsyQik= +github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.17/go.mod h1:EhG22vHRrvF8oXSTYStZhJc1aUgKtnJe+aOiFEV90cM= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk= +github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4 h1:0ryTNEdJbzUCEWkVXEXoqlXV72J5keC1GvILMOuD00E= +github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.4/go.mod h1:HQ4qwNZh32C3CBeO6iJLQlgtMzqeG17ziAA/3KDJFow= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17 h1:RuNSMoozM8oXlgLG/n6WLaFGoea7/CddrCfIiSA+xdY= +github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.17/go.mod h1:F2xxQ9TZz5gDWsclCtPQscGpP0VUOc8RqgFM3vDENmU= +github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 h1:VrhDvQib/i0lxvr3zqlUwLwJP4fpmpyD9wYG1vfSu+Y= +github.com/aws/aws-sdk-go-v2/service/signin v1.0.5/go.mod h1:k029+U8SY30/3/ras4G/Fnv/b88N4mAfliNn08Dem4M= github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1 h1:ZtgZeMPJH8+/vNs9vJFFLI0QEzYbcN0p7x1/FFwyROc= github.com/aws/aws-sdk-go-v2/service/sqs v1.38.1/go.mod h1:Bar4MrRxeqdn6XIh8JGfiXuFRmyrrsZNTJotxEJmWW0= -github.com/aws/aws-sdk-go-v2/service/sso v1.25.1 h1:8JdC7Gr9NROg1Rusk25IcZeTO59zLxsKgE0gkh5O6h0= -github.com/aws/aws-sdk-go-v2/service/sso v1.25.1/go.mod h1:qs4a9T5EMLl/Cajiw2TcbNt2UNo/Hqlyp+GiuG4CFDI= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1 h1:KwuLovgQPcdjNMfFt9OhUd9a2OwcOKhxfvF4glTzLuA= -github.com/aws/aws-sdk-go-v2/service/ssooidc v1.29.1/go.mod h1:MlYRNmYu/fGPoxBQVvBYr9nyr948aY/WLUvwBMBJubs= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.17 h1:PZV5W8yk4OtH1JAuhV2PXwwO9v5G5Aoj+eMCn4T+1Kc= -github.com/aws/aws-sdk-go-v2/service/sts v1.33.17/go.mod h1:cQnB8CUnxbMU82JvlqjKR2HBOm3fe9pWorWBza6MBJ4= -github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ= -github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.10 h1:+VTRawC4iVY58pS/lzpo0lnoa/SYNGF4/B/3/U5ro8Y= +github.com/aws/aws-sdk-go-v2/service/sso v1.30.10/go.mod h1:yifAsgBxgJWn3ggx70A3urX2AN49Y5sJTD1UQFlfqBw= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.14 h1:0jbJeuEHlwKJ9PfXtpSFc4MF+WIWORdhN1n30ITZGFM= +github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.14/go.mod h1:sTGThjphYE4Ohw8vJiRStAcu3rbjtXRsdNB0TvZ5wwo= +github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/pJ1jOWYlFDJTjRQ= +github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ= +github.com/aws/smithy-go v1.24.0 h1:LpilSUItNPFr1eY85RYgTIg5eIEPtvFbskaFcmmIUnk= +github.com/aws/smithy-go v1.24.0/go.mod h1:LEj2LM3rBRQJxPZTB4KuzZkaZYnZPnvgIhb4pu07mx0= github.com/beevik/ntp v0.2.0/go.mod h1:hIHWr+l3+/clUnF44zdK+CWW7fO8dR5cIylAQ76NRpg= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= @@ -162,8 +164,8 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM= github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ= github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= -github.com/bmatcuk/doublestar/v4 v4.9.2 h1:b0mc6WyRSYLjzofB2v/0cuDUZ+MqoGyH3r0dVij35GI= -github.com/bmatcuk/doublestar/v4 v4.9.2/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= +github.com/bmatcuk/doublestar/v4 v4.10.0 h1:zU9WiOla1YA122oLM6i4EXvGW62DvKZVxIe6TYWexEs= +github.com/bmatcuk/doublestar/v4 v4.10.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc= github.com/bombsimon/logrusr/v4 v4.1.0 h1:uZNPbwusB0eUXlO8hIUwStE6Lr5bLN6IgYgG+75kuh4= github.com/bombsimon/logrusr/v4 v4.1.0/go.mod h1:pjfHC5e59CvjTBIU3V3sGhFWFAnsnhOR03TRc6im0l8= github.com/bradleyfalzon/ghinstallation/v2 v2.17.0 h1:SmbUK/GxpAspRjSQbB6ARvH+ArzlNzTtHydNyXUQ6zg= @@ -261,8 +263,8 @@ github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjT github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc= -github.com/expr-lang/expr v1.17.7 h1:Q0xY/e/2aCIp8g9s/LGvMDCC5PxYlvHgDZRQ4y16JX8= -github.com/expr-lang/expr v1.17.7/go.mod h1:8/vRC7+7HBzESEqt5kKpYXxrxkr31SaO8r40VO/1IT4= +github.com/expr-lang/expr v1.17.8 h1:W1loDTT+0PQf5YteHSTpju2qfUfNoBt4yw9+wOEU9VM= +github.com/expr-lang/expr v1.17.8/go.mod h1:8/vRC7+7HBzESEqt5kKpYXxrxkr31SaO8r40VO/1IT4= github.com/facebookgo/ensure v0.0.0-20160127193407-b4ab57deab51/go.mod h1:Yg+htXGokKKdzcwhuNDwVvN+uBxDGXJ7G/VN1d8fa64= github.com/facebookgo/stack v0.0.0-20160209184415-751773369052/go.mod h1:UbMTZqLaRiH3MsBH8va0n7s1pQYcu3uTb8G4tygF4Zg= github.com/facebookgo/subset v0.0.0-20150612182917-8dac2c3c4870/go.mod h1:5tD+neXqOorC30/tWg0LCSkrqj/AR6gu8yY8/fpw1q0= @@ -422,8 +424,8 @@ github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzw github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI= github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= -github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo= -github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= +github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY= +github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/glog v1.2.5 h1:DrW6hGnjIhtvhOIiAKT6Psh/Kd/ldepEa81DKeiRJ5I= github.com/golang/glog v1.2.5/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w= @@ -474,6 +476,8 @@ github.com/google/go-jsonnet v0.21.0/go.mod h1:tCGAu8cpUpEZcdGMmdOu37nh8bGgqubhI github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck= github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0= github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU= +github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU= +github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -524,6 +528,8 @@ github.com/gosimple/slug v1.15.0 h1:wRZHsRrRcs6b0XnxMUBM6WK1U1Vg5B0R7VkIf1Xzobo= github.com/gosimple/slug v1.15.0/go.mod h1:UiRaFH+GEilHstLUmcBgWcI42viBN7mAb818JrYOeFQ= github.com/gosimple/unidecode v1.0.1 h1:hZzFTMMqSswvf0LBJZCZgThIZrpDHFXux9KeGmn6T/o= github.com/gosimple/unidecode v1.0.1/go.mod h1:CP0Cr1Y1kogOtx0bJblKzsVWrqYaqfNOnHzpgWw4Awc= +github.com/graph-gophers/graphql-go v1.8.0 h1:NT05/H+PdH1/PONExlUycnhULYHBy98dxV63WYc0Ng8= +github.com/graph-gophers/graphql-go v1.8.0/go.mod h1:23olKZ7duEvHlF/2ELEoSZaY1aNPfShjP782SOoNTyM= github.com/gregdel/pushover v1.3.1 h1:4bMLITOZ15+Zpi6qqoGqOPuVHCwSUvMCgVnN5Xhilfo= github.com/gregdel/pushover v1.3.1/go.mod h1:EcaO66Nn1StkpEm1iKtBTV3d2A16SoMsVER1PthX7to= github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA= @@ -610,7 +616,10 @@ github.com/klauspost/compress v1.13.6/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47e github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo= github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ= github.com/klauspost/cpuid v1.2.3/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek= +github.com/klauspost/cpuid v1.3.1 h1:5JNjFYYQrZeKRJ0734q51WCEEn2huer72Dc7K+R/b6s= github.com/klauspost/cpuid v1.3.1/go.mod h1:bYW4mA6ZgKPob1/Dlai2LviZJO7KGI3uoWLd42rAQw4= +github.com/klauspost/cpuid/v2 v2.0.9 h1:lgaqFMSdTdQYdZ04uHyN2d/eKdOMyi2YLSvlQIBFYa4= +github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg= github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ= github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFBFZlji/RkVcI2GknAs/DXo4wKdlNEc= @@ -623,8 +632,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= -github.com/ktrysmt/go-bitbucket v0.9.88 h1:XBjYui83tW2puG7f2GvYSAMMKIPfhpeoLCVfEJx3KVM= -github.com/ktrysmt/go-bitbucket v0.9.88/go.mod h1:fx6zdyKEyiNfR9VW0npWD6ugoSUsp8JLXGyqna8bHkc= +github.com/ktrysmt/go-bitbucket v0.9.91 h1:/yLg/yqBVUweCiLv9vdmhXsHTuf2X31YGOdU+as2nNw= +github.com/ktrysmt/go-bitbucket v0.9.91/go.mod h1:RRZuPw5zAfG0PWJ4pF91gXE5v/lbujZbnY5VWEgdwQI= github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc= github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw= github.com/ledongthuc/pdf v0.0.0-20220302134840-0c2507a12d80/go.mod h1:imJHygn/1yfhB7XSJJKlFZKl/J+dCPAknuiaGOshXAs= @@ -659,6 +668,8 @@ github.com/microsoft/azure-devops-go-api/azuredevops/v7 v7.1.1-0.20241014080628- github.com/microsoft/azure-devops-go-api/azuredevops/v7 v7.1.1-0.20241014080628-3045bdf43455/go.mod h1:mDunUZ1IUJdJIRHvFb+LPBUtxe3AYB5MI6BMXNg8194= github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1 h1:lYpkrQH5ajf0OXOcUbGjvZxxijuBwbbmlSxLiuofa+g= github.com/minio/blake2b-simd v0.0.0-20160723061019-3f5f724cb5b1/go.mod h1:pD8RvIylQ358TN4wwqatJ8rNavkEINozVn9DtGI3dfQ= +github.com/minio/highwayhash v1.0.3 h1:kbnuUMoHYyVl7szWjSxJnxw11k2U709jqFPPmIUyD6Q= +github.com/minio/highwayhash v1.0.3/go.mod h1:GGYsuwP/fPD6Y9hMiXuapVvlIUEhFhMTh0rxU3ik1LQ= github.com/minio/md5-simd v1.1.0/go.mod h1:XpBqgZULrMYD3R+M28PcmP0CkI7PEMzB3U77ZrKZ0Gw= github.com/minio/minio-go/v7 v7.0.29/go.mod h1:x81+AX5gHSfCSqw7jxRKHvxUXMlE5uKX0Vb75Xk5yYg= github.com/minio/sha256-simd v0.1.1/go.mod h1:B5e1o+1/KgNmWrSQK08Y6Z1Vb5pwIktudl0J58iy0KM= @@ -695,6 +706,16 @@ github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRW github.com/mwitkow/grpc-proxy v0.0.0-20181017164139-0f1106ef9c76/go.mod h1:x5OoJHDHqxHS801UIuhqGl6QdSAEJvtausosHSdazIo= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= +github.com/nats-io/jwt/v2 v2.7.4 h1:jXFuDDxs/GQjGDZGhNgH4tXzSUK6WQi2rsj4xmsNOtI= +github.com/nats-io/jwt/v2 v2.7.4/go.mod h1:me11pOkwObtcBNR8AiMrUbtVOUGkqYjMQZ6jnSdVUIA= +github.com/nats-io/nats-server/v2 v2.11.4 h1:oQhvy6He6ER926sGqIKBKuYHH4BGnUQCNb0Y5Qa+M54= +github.com/nats-io/nats-server/v2 v2.11.4/go.mod h1:jFnKKwbNeq6IfLHq+OMnl7vrFRihQ/MkhRbiWfjLdjU= +github.com/nats-io/nats.go v1.43.0 h1:uRFZ2FEoRvP64+UUhaTokyS18XBCR/xM2vQZKO4i8ug= +github.com/nats-io/nats.go v1.43.0/go.mod h1:iRWIPokVIFbVijxuMQq4y9ttaBTMe0SFdlZfMDd+33g= +github.com/nats-io/nkeys v0.4.11 h1:q44qGV008kYd9W1b1nEBkNzvnWxtRSQ7A8BoqRrcfa0= +github.com/nats-io/nkeys v0.4.11/go.mod h1:szDimtgmfOi9n25JpfIdGw12tZFYXqhGxjhVxsatHVE= +github.com/nats-io/nuid v1.0.1 h1:5iA8DT8V7q8WK2EScv2padNa/rTESc1KdnPw4TC2paw= +github.com/nats-io/nuid v1.0.1/go.mod h1:19wcPz3Ph3q0Jbyiqsd0kePYG7A95tJPxeL+1OSON2c= github.com/nlopes/slack v0.5.0/go.mod h1:jVI4BBK3lSktibKahxBF74txcK2vyvkza1z/+rRnVAM= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= @@ -821,8 +842,8 @@ github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlT github.com/r3labs/diff/v3 v3.0.2 h1:yVuxAY1V6MeM4+HNur92xkS39kB/N+cFi2hMkY06BbA= github.com/r3labs/diff/v3 v3.0.2/go.mod h1:Cy542hv0BAEmhDYWtGxXRQ4kqRsVIcEjG9gChUlTmkw= github.com/redis/go-redis/v9 v9.0.0-rc.4/go.mod h1:Vo3EsyWnicKnSKCA7HhgnvnyA74wOA69Cd2Meli5mmA= -github.com/redis/go-redis/v9 v9.17.2 h1:P2EGsA4qVIM3Pp+aPocCJ7DguDHhqrXNhVcEp4ViluI= -github.com/redis/go-redis/v9 v9.17.2/go.mod h1:u410H11HMLoB+TP67dz8rL9s6QW2j76l0//kSOd3370= +github.com/redis/go-redis/v9 v9.18.0 h1:pMkxYPkEbMPwRdenAzUNyFNrDgHx9U+DrBabWNfSRQs= +github.com/redis/go-redis/v9 v9.18.0/go.mod h1:k3ufPphLU5YXwNTUcCRXGxUoF1fqxnhFQmscfkCoDA0= github.com/robfig/cron/v3 v3.0.2-0.20210106135023-bc59245fe10e h1:0xChnl3lhHiXbgSJKgChye0D+DvoItkOdkGcwelDXH0= github.com/robfig/cron/v3 v3.0.2-0.20210106135023-bc59245fe10e/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro= github.com/rogpeppe/fastuuid v1.2.0/go.mod h1:jVj6XXZzXRy/MSR5jhDC/2q6DgLz+nrA6LYCDYWNEvQ= @@ -923,8 +944,10 @@ github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yuin/gopher-lua v1.1.1 h1:kYKnWBjvbNP4XLT3+bPEwAXJx262OhaHDWDVOPjL46M= github.com/yuin/gopher-lua v1.1.1/go.mod h1:GBR0iDaNXjAgGg9zfCvksxSRnQx76gclCIb7kdAd1Pw= -gitlab.com/gitlab-org/api/client-go v1.16.0 h1:WbGrYnFCLx/FV+hE2XImIV60G7rdIBg8sZiJa+HWJ0s= -gitlab.com/gitlab-org/api/client-go v1.16.0/go.mod h1:ctGKgv9bErQHO0NOrfhoyFtKMAkBhUE7y53F2xHFAkE= +github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0= +github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA= +gitlab.com/gitlab-org/api/client-go v1.39.0 h1:4Q+btMsCvII7mbSjilohtblijv3jRws3sWpK4m27ABw= +gitlab.com/gitlab-org/api/client-go v1.39.0/go.mod h1:txpNttRZAkUa4mmqr9WJh99XT+WtfytQXbswFdMwNsc= go.mongodb.org/mongo-driver v1.17.6 h1:87JUG1wZfWsr6rIz3ZmpH90rL5tea7O3IHuSwHUpsss= go.mongodb.org/mongo-driver v1.17.6/go.mod h1:Hy04i7O2kC4RS06ZrhPRqj/u4DTYkFDAAccj+rVKqgQ= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= @@ -955,6 +978,8 @@ go.opentelemetry.io/otel/trace v1.39.0/go.mod h1:88w4/PnZSazkGzz/w84VHpQafiU4Etq go.opentelemetry.io/proto/otlp v1.9.0 h1:l706jCMITVouPOqEnii2fIAuO3IVGBRPV5ICjceRb/A= go.opentelemetry.io/proto/otlp v1.9.0/go.mod h1:xE+Cx5E/eEHw+ISFkwPLwCZefwVjY+pqKg1qcK03+/4= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= +go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE= +go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y= @@ -999,8 +1024,8 @@ golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7 golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U= golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY= -golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8= -golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A= +golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts= +golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1043,8 +1068,8 @@ golang.org/x/mod v0.19.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.20.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww= golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ= -golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI= -golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg= +golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c= +golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -1110,8 +1135,8 @@ golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU= golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA= golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8= -golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o= -golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8= +golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60= +golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1119,8 +1144,8 @@ golang.org/x/oauth2 v0.0.0-20191202225959-858c2ad4c8b6/go.mod h1:gOpvHmFTYa4Iltr golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A= golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8= -golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw= -golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ= +golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1219,8 +1244,8 @@ golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= -golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ= -golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= +golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k= +golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= golang.org/x/telemetry v0.0.0-20250710130107-8d8967aff50b/go.mod h1:4ZwOYna0/zsOKwuR5X/m0QFOJpSZvAxFfkQT+Erd9D4= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= @@ -1247,8 +1272,8 @@ golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M= golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g= golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ= golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0= -golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY= -golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww= +golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg= +golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1273,8 +1298,8 @@ golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY= golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA= golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU= -golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE= -golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8= +golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk= +golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -1375,8 +1400,8 @@ google.golang.org/grpc v1.30.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM google.golang.org/grpc v1.31.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.32.0/go.mod h1:N36X2cJ7JwdamYAgDz+s+rVMFjt3numwzf/HckM8pak= google.golang.org/grpc v1.33.1/go.mod h1:fr5YgcSWrqhRRxogOsw7RzIpsmvOZ6IcH4kBYTpR3n0= -google.golang.org/grpc v1.78.0 h1:K1XZG/yGDJnzMdd/uZHAkVqJE+xIDOcmdSFZkBUicNc= -google.golang.org/grpc v1.78.0/go.mod h1:I47qjTo4OKbMkjA/aOOwxDIiPSBofUtQUI5EfpWvW7U= +google.golang.org/grpc v1.79.1 h1:zGhSi45ODB9/p3VAawt9a+O/MULLl9dpizzNNpq7flY= +google.golang.org/grpc v1.79.1/go.mod h1:KmT0Kjez+0dde/v2j9vzwoAScgEPx/Bw1CYChhHLrHQ= google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.24.0/go.mod h1:r/3tXBNzIEhYS9I1OUVjXDlt8tc493IdKGjtUeSXeh4= @@ -1486,8 +1511,8 @@ sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU= sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY= sigs.k8s.io/structured-merge-diff/v6 v6.2.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= sigs.k8s.io/structured-merge-diff/v6 v6.3.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= -sigs.k8s.io/structured-merge-diff/v6 v6.3.1-0.20251003215857-446d8398e19c h1:RCkxmWwPjOw2O1RiDgBgI6tfISvB07jAh+GEztp7TWk= -sigs.k8s.io/structured-merge-diff/v6 v6.3.1-0.20251003215857-446d8398e19c/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= +sigs.k8s.io/structured-merge-diff/v6 v6.3.2 h1:kwVWMx5yS1CrnFWA/2QHyRVJ8jM6dBA80uLmm0wJkk8= +sigs.k8s.io/structured-merge-diff/v6 v6.3.2/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE= sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= sigs.k8s.io/yaml v1.6.0 h1:G8fkbMSAFqgEFgh4b1wmtzDnioxFCUgTZhlbj5P9QYs= diff --git a/hack/gen-catalog/main.go b/hack/gen-catalog/main.go index 04cd1554f8..4f4b53392a 100644 --- a/hack/gen-catalog/main.go +++ b/hack/gen-catalog/main.go @@ -179,7 +179,7 @@ func generateCommandsDocs(out io.Writer) error { if err := doc.GenMarkdown(c, &cmdDesc); err != nil { return fmt.Errorf("error generating Markdown for command: %v : %w", c, err) } - for _, line := range strings.Split(cmdDesc.String(), "\n") { + for line := range strings.SplitSeq(cmdDesc.String(), "\n") { if strings.HasPrefix(line, "### SEE ALSO") { break } diff --git a/hack/gen-crd-spec/main.go b/hack/gen-crd-spec/main.go index cd700fb535..8e428476eb 100644 --- a/hack/gen-crd-spec/main.go +++ b/hack/gen-crd-spec/main.go @@ -11,7 +11,7 @@ import ( "github.com/argoproj/argo-cd/v3/pkg/apis/application" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "sigs.k8s.io/yaml" @@ -75,7 +75,7 @@ func deleteFile(path string) { func removeValidation(un *unstructured.Unstructured, path string) { schemaPath := []string{"spec", "versions[*]", "schema", "openAPIV3Schema"} - for _, part := range strings.Split(path, ".") { + for part := range strings.SplitSeq(path, ".") { schemaPath = append(schemaPath, "properties", part) } unstructured.RemoveNestedField(un.Object, schemaPath...) diff --git a/hack/gen-resources/generators/cluster_generator.go b/hack/gen-resources/generators/cluster_generator.go index 01292aeb51..3c01e4326e 100644 --- a/hack/gen-resources/generators/cluster_generator.go +++ b/hack/gen-resources/generators/cluster_generator.go @@ -157,7 +157,7 @@ func (cg *ClusterGenerator) getClusterServerURI(namespace string, releaseSuffix } func (cg *ClusterGenerator) retrieveClusterURI(namespace, releaseSuffix string) string { - for i := 0; i < 10; i++ { + for range 10 { log.Print("Attempting to get cluster uri") uri, err := cg.getClusterServerURI(namespace, releaseSuffix) if err != nil { @@ -189,7 +189,7 @@ func (cg *ClusterGenerator) generate(i int, opts *util.GenerateOpts) error { log.Print("Get cluster credentials") caData, cert, key, err := cg.getClusterCredentials(namespace, releaseSuffix) - for o := 0; o < 5; o++ { + for range 5 { if err == nil { break } diff --git a/hack/get-previous-release/go.mod b/hack/get-previous-release/go.mod index e211fe04c4..330c94630c 100644 --- a/hack/get-previous-release/go.mod +++ b/hack/get-previous-release/go.mod @@ -1,6 +1,6 @@ module github.com/argoproj/argo-cd/get-previous-release -go 1.25.5 +go 1.26.0 require ( github.com/stretchr/testify v1.9.0 diff --git a/hack/installers/checksums/git-lfs-linux-amd64-v3.7.1.tar.gz.sha256 b/hack/installers/checksums/git-lfs-linux-amd64-v3.7.1.tar.gz.sha256 new file mode 100644 index 0000000000..96c21820b6 --- /dev/null +++ b/hack/installers/checksums/git-lfs-linux-amd64-v3.7.1.tar.gz.sha256 @@ -0,0 +1 @@ +1c0b6ee5200ca708c5cebebb18fdeb0e1c98f1af5c1a9cba205a4c0ab5a5ec08 git-lfs-linux-amd64-v3.7.1.tar.gz diff --git a/hack/installers/checksums/git-lfs-linux-arm64-v3.7.1.tar.gz.sha256 b/hack/installers/checksums/git-lfs-linux-arm64-v3.7.1.tar.gz.sha256 new file mode 100644 index 0000000000..327275ee29 --- /dev/null +++ b/hack/installers/checksums/git-lfs-linux-arm64-v3.7.1.tar.gz.sha256 @@ -0,0 +1 @@ +73a9c90eeb4312133a63c3eaee0c38c019ea7bfa0953d174809d25b18588dd8d git-lfs-linux-arm64-v3.7.1.tar.gz diff --git a/hack/installers/checksums/kustomize_5.8.1_darwin_amd64.tar.gz.sha256 b/hack/installers/checksums/kustomize_5.8.1_darwin_amd64.tar.gz.sha256 new file mode 100644 index 0000000000..8702ce2413 --- /dev/null +++ b/hack/installers/checksums/kustomize_5.8.1_darwin_amd64.tar.gz.sha256 @@ -0,0 +1 @@ +ee7cf0c1e3592aa7bb66ba82b359933a95e7f2e0b36e5f53ed0a4535b017f2f8 kustomize_5.8.1_darwin_amd64.tar.gz diff --git a/hack/installers/checksums/kustomize_5.8.1_darwin_arm64.tar.gz.sha256 b/hack/installers/checksums/kustomize_5.8.1_darwin_arm64.tar.gz.sha256 new file mode 100644 index 0000000000..1fdbcc1877 --- /dev/null +++ b/hack/installers/checksums/kustomize_5.8.1_darwin_arm64.tar.gz.sha256 @@ -0,0 +1 @@ +8886f8a78474e608cc81234f729fda188a9767da23e28925802f00ece2bab288 kustomize_5.8.1_darwin_arm64.tar.gz diff --git a/hack/installers/checksums/kustomize_5.8.1_linux_amd64.tar.gz.sha256 b/hack/installers/checksums/kustomize_5.8.1_linux_amd64.tar.gz.sha256 new file mode 100644 index 0000000000..16fef3f8ec --- /dev/null +++ b/hack/installers/checksums/kustomize_5.8.1_linux_amd64.tar.gz.sha256 @@ -0,0 +1 @@ +029a7f0f4e1932c52a0476cf02a0fd855c0bb85694b82c338fc648dcb53a819d kustomize_5.8.1_linux_amd64.tar.gz diff --git a/hack/installers/checksums/kustomize_5.8.1_linux_arm64.tar.gz.sha256 b/hack/installers/checksums/kustomize_5.8.1_linux_arm64.tar.gz.sha256 new file mode 100644 index 0000000000..c688fa5665 --- /dev/null +++ b/hack/installers/checksums/kustomize_5.8.1_linux_arm64.tar.gz.sha256 @@ -0,0 +1 @@ +0953ea3e476f66d6ddfcd911d750f5167b9365aa9491b2326398e289fef2c142 kustomize_5.8.1_linux_arm64.tar.gz diff --git a/hack/installers/checksums/kustomize_5.8.1_linux_ppc64le.tar.gz.sha256 b/hack/installers/checksums/kustomize_5.8.1_linux_ppc64le.tar.gz.sha256 new file mode 100644 index 0000000000..a852dd4ce6 --- /dev/null +++ b/hack/installers/checksums/kustomize_5.8.1_linux_ppc64le.tar.gz.sha256 @@ -0,0 +1 @@ +87ffa6d248d6baceb35463042da354a317bfd3ee49afc7f9850c05c36319c708 kustomize_5.8.1_linux_ppc64le.tar.gz diff --git a/hack/installers/checksums/kustomize_5.8.1_linux_s390x.tar.gz.sha256 b/hack/installers/checksums/kustomize_5.8.1_linux_s390x.tar.gz.sha256 new file mode 100644 index 0000000000..246bb187b1 --- /dev/null +++ b/hack/installers/checksums/kustomize_5.8.1_linux_s390x.tar.gz.sha256 @@ -0,0 +1 @@ +12df0fcec017a82b41d87b85c53263ae9657740b130eba42381bae3495521c9b kustomize_5.8.1_linux_s390x.tar.gz diff --git a/hack/installers/install-git-lfs.sh b/hack/installers/install-git-lfs.sh new file mode 100755 index 0000000000..90bbce22a1 --- /dev/null +++ b/hack/installers/install-git-lfs.sh @@ -0,0 +1,12 @@ +#!/bin/bash +set -eux -o pipefail + +. "$(dirname "$0")"/../tool-versions.sh + +export TARGET_FILE=git-lfs-${INSTALL_OS}-${ARCHITECTURE}-v${git_lfs_version}.tar.gz + +[ -e "$DOWNLOADS/${TARGET_FILE}" ] || curl -sLf --retry 3 -o "$DOWNLOADS/${TARGET_FILE}" "https://github.com/git-lfs/git-lfs/releases/download/v${git_lfs_version}/${TARGET_FILE}" +"$(dirname "$0")"/compare-chksum.sh +mkdir -p /tmp/git-lfs && tar -C /tmp/git-lfs --strip-components=1 -xzf "$DOWNLOADS/${TARGET_FILE}" +sudo install -m 0755 "/tmp/git-lfs/git-lfs" "$BIN/git-lfs" +git-lfs version diff --git a/hack/installers/install-lint-tools.sh b/hack/installers/install-lint-tools.sh index 1585479277..cb58d75acd 100755 --- a/hack/installers/install-lint-tools.sh +++ b/hack/installers/install-lint-tools.sh @@ -1,7 +1,7 @@ #!/bin/bash set -eux -o pipefail -# renovate: datasource=go packageName=github.com/golangci/golangci-lint -GOLANGCI_LINT_VERSION=2.5.0 +# renovate: datasource=go packageName=github.com/golangci/golangci-lint/v2 +GOLANGCI_LINT_VERSION=2.8.0 GO111MODULE=on go install "github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v${GOLANGCI_LINT_VERSION}" diff --git a/hack/k8s/main.go b/hack/k8s/main.go index 7e5a33798b..d7ec1cfcf6 100644 --- a/hack/k8s/main.go +++ b/hack/k8s/main.go @@ -11,7 +11,7 @@ import ( "github.com/argoproj/argo-cd/v3/util/errors" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "sigs.k8s.io/controller-runtime/pkg/envtest" ) @@ -35,7 +35,7 @@ func main() { attempts := 5 interval := time.Second - for i := 0; i < attempts; i++ { + for range attempts { _, err = client.ServerVersion() if err == nil { break diff --git a/hack/tool-versions.sh b/hack/tool-versions.sh index 940b580396..84bec7b77c 100644 --- a/hack/tool-versions.sh +++ b/hack/tool-versions.sh @@ -12,6 +12,7 @@ # add-kustomize-checksums.sh to help download checksums. ############################################################################### helm3_version=3.19.4 -kustomize5_version=5.8.0 +kustomize5_version=5.8.1 protoc_version=29.3 oras_version=1.2.0 +git_lfs_version=3.7.1 diff --git a/hack/update-manifests.sh b/hack/update-manifests.sh index b388312372..3612ff982a 100755 --- a/hack/update-manifests.sh +++ b/hack/update-manifests.sh @@ -70,6 +70,10 @@ fi # if the tag has not been declared, and we are on a release branch, use the VERSION file. if [ "$IMAGE_TAG" = "" ]; then branch=$(git rev-parse --abbrev-ref HEAD) + # In GitHub Actions PRs, HEAD is detached; use GITHUB_BASE_REF (the target branch) instead + if [ "$branch" = "HEAD" ] && [ -n "${GITHUB_BASE_REF:-}" ]; then + branch="$GITHUB_BASE_REF" + fi if [[ $branch = release-* ]]; then pwd IMAGE_TAG=v$(cat "$SRCROOT/VERSION") diff --git a/manifests/README.md b/manifests/README.md index ad7b09c610..338a39f2d8 100644 --- a/manifests/README.md +++ b/manifests/README.md @@ -17,12 +17,13 @@ Four sets of installation manifests are provided: external clusters. Will still be possible to deploy to the same cluster (kubernetes.default.svc) with inputted credentials (i.e. `argocd cluster add --in-cluster --namespace `). - > Note: Argo CD CRDs are not included into [namespace-install.yaml](namespace-install.yaml). - > and have to be installed separately. The CRD manifests are located in [manifests/crds](./crds) directory. - > Use the following command to install them: - > ```bash - > kubectl apply -k https://github.com/argoproj/argo-cd/manifests/crds\?ref\=stable - > ``` +> [!NOTE] +> Argo CD CRDs are not included into [namespace-install.yaml](namespace-install.yaml). +> and have to be installed separately. The CRD manifests are located in [manifests/crds](./crds) directory. +> Use the following command to install them: +> ```bash +> kubectl apply -k https://github.com/argoproj/argo-cd/manifests/crds\?ref\=stable +> ``` ## High Availability: diff --git a/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml b/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml index 2d29e40ec4..77d729e3fc 100644 --- a/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml +++ b/manifests/base/application-controller-deployment/argocd-application-controller-deployment.yaml @@ -25,6 +25,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.grpc.enable.txt.service.config + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -91,6 +97,48 @@ spec: name: argocd-cmd-params-cm key: log.format.timestamp optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.client.qps + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.client.burst + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.client.max.idle.connections + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.tcp.timeout + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.tcp.keepalive + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.tls.handshake.timeout + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.tcp.idle.timeout + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: @@ -331,4 +379,4 @@ spec: - key: controller.profile.enabled path: profiler.enabled nodeSelector: - kubernetes.io/os: linux \ No newline at end of file + kubernetes.io/os: linux diff --git a/manifests/base/application-controller/argocd-application-controller-statefulset.yaml b/manifests/base/application-controller/argocd-application-controller-statefulset.yaml index 6d7392f41f..9ca7e668d8 100644 --- a/manifests/base/application-controller/argocd-application-controller-statefulset.yaml +++ b/manifests/base/application-controller/argocd-application-controller-statefulset.yaml @@ -26,6 +26,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.grpc.enable.txt.service.config + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -94,6 +100,48 @@ spec: name: argocd-cmd-params-cm key: log.format.timestamp optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.client.qps + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.client.burst + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.client.max.idle.connections + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.tcp.timeout + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.tcp.keepalive + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.tls.handshake.timeout + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: controller.k8s.tcp.idle.timeout + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml b/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml index b23f78b84e..f5514b1230 100644 --- a/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml +++ b/manifests/base/applicationset-controller/argocd-applicationset-controller-deployment.yaml @@ -27,6 +27,12 @@ spec: - containerPort: 8080 name: metrics env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.grpc.enable.txt.service.config + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -91,6 +97,48 @@ spec: name: argocd-cmd-params-cm key: log.format.timestamp optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.k8s.client.qps + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.k8s.client.burst + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.k8s.client.max.idle.connections + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.k8s.tcp.timeout + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.k8s.tcp.keepalive + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.k8s.tls.handshake.timeout + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: applicationsetcontroller.k8s.tcp.idle.timeout + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -251,4 +299,4 @@ spec: - key: applicationsetcontroller.profile.enabled path: profiler.enabled nodeSelector: - kubernetes.io/os: linux \ No newline at end of file + kubernetes.io/os: linux diff --git a/manifests/base/commit-server/argocd-commit-server-deployment.yaml b/manifests/base/commit-server/argocd-commit-server-deployment.yaml index b682b0d724..312ab9cd4e 100644 --- a/manifests/base/commit-server/argocd-commit-server-deployment.yaml +++ b/manifests/base/commit-server/argocd-commit-server-deployment.yaml @@ -24,6 +24,12 @@ spec: args: - /usr/local/bin/argocd-commit-server env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: commitserver.grpc.enable.txt.service.config + optional: true - name: ARGOCD_COMMIT_SERVER_LISTEN_ADDRESS valueFrom: configMapKeyRef: diff --git a/manifests/base/dex/argocd-dex-server-deployment.yaml b/manifests/base/dex/argocd-dex-server-deployment.yaml index 1c1203b63e..bb96fdd34b 100644 --- a/manifests/base/dex/argocd-dex-server-deployment.yaml +++ b/manifests/base/dex/argocd-dex-server-deployment.yaml @@ -37,7 +37,7 @@ spec: type: RuntimeDefault containers: - name: dex - image: ghcr.io/dexidp/dex:v2.43.0 + image: ghcr.io/dexidp/dex:v2.44.0 imagePullPolicy: Always command: [/shared/argocd-dex, rundex] env: diff --git a/manifests/base/repo-server/argocd-repo-server-deployment.yaml b/manifests/base/repo-server/argocd-repo-server-deployment.yaml index 577771c05d..13671de53a 100644 --- a/manifests/base/repo-server/argocd-repo-server-deployment.yaml +++ b/manifests/base/repo-server/argocd-repo-server-deployment.yaml @@ -29,6 +29,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: reposerver.grpc.enable.txt.service.config + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -363,6 +369,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - name: argocd-cmd-params-cm + configMap: + optional: true + name: argocd-cmd-params-cm + items: + - key: reposerver.profile.enabled + path: profiler.enabled affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: diff --git a/manifests/base/server/argocd-server-deployment.yaml b/manifests/base/server/argocd-server-deployment.yaml index acfbbc2361..7475eafe23 100644 --- a/manifests/base/server/argocd-server-deployment.yaml +++ b/manifests/base/server/argocd-server-deployment.yaml @@ -28,6 +28,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.grpc.enable.txt.service.config + optional: true - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: @@ -58,6 +64,48 @@ spec: name: argocd-cmd-params-cm key: server.log.level optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.k8s.client.qps + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.k8s.client.burst + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.k8s.client.max.idle.connections + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.k8s.tcp.timeout + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.k8s.tcp.keepalive + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.k8s.tls.handshake.timeout + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + name: argocd-cmd-params-cm + key: server.k8s.tcp.idle.timeout + optional: true - name: ARGOCD_SERVER_REPO_SERVER valueFrom: configMapKeyRef: @@ -404,4 +452,4 @@ spec: app.kubernetes.io/part-of: argocd topologyKey: kubernetes.io/hostname nodeSelector: - kubernetes.io/os: linux \ No newline at end of file + kubernetes.io/os: linux diff --git a/manifests/core-install-with-hydrator.yaml b/manifests/core-install-with-hydrator.yaml index fb116065bf..4cc9075d8b 100644 --- a/manifests/core-install-with-hydrator.yaml +++ b/manifests/core-install-with-hydrator.yaml @@ -411,12 +411,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -800,12 +800,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -1299,11 +1299,11 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources + description: NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources + description: NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps type: string namespace: @@ -1676,12 +1676,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2087,12 +2087,12 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2646,12 +2646,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3039,12 +3039,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3191,6 +3191,7 @@ spec: observedAt: description: |- ObservedAt indicates when the application state was updated without querying latest git state + Deprecated: controller no longer updates ObservedAt field format: date-time type: string @@ -3587,12 +3588,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4000,12 +4001,12 @@ spec: selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended - to resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended - to resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4530,12 +4531,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -4934,12 +4935,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -5459,12 +5460,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -5912,12 +5913,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -6425,12 +6426,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -6829,12 +6830,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -31117,6 +31118,12 @@ spec: - args: - /usr/local/bin/argocd-applicationset-controller env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -31181,6 +31188,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -31388,6 +31437,12 @@ spec: - args: - /usr/local/bin/argocd-commit-server env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: commitserver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_COMMIT_SERVER_LISTEN_ADDRESS valueFrom: configMapKeyRef: @@ -31609,6 +31664,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: reposerver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -31950,6 +32011,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - configMap: + items: + - key: reposerver.profile.enabled + path: profiler.enabled + name: argocd-cmd-params-cm + optional: true + name: argocd-cmd-params-cm --- apiVersion: apps/v1 kind: StatefulSet @@ -31994,6 +32062,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: controller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -32062,6 +32136,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: controller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/manifests/core-install.yaml b/manifests/core-install.yaml index 963cc48ad0..e8bf0764d4 100644 --- a/manifests/core-install.yaml +++ b/manifests/core-install.yaml @@ -411,12 +411,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -800,12 +800,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -1299,11 +1299,11 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources + description: NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources + description: NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps type: string namespace: @@ -1676,12 +1676,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2087,12 +2087,12 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2646,12 +2646,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3039,12 +3039,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3191,6 +3191,7 @@ spec: observedAt: description: |- ObservedAt indicates when the application state was updated without querying latest git state + Deprecated: controller no longer updates ObservedAt field format: date-time type: string @@ -3587,12 +3588,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4000,12 +4001,12 @@ spec: selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended - to resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended - to resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4530,12 +4531,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -4934,12 +4935,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -5459,12 +5460,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -5912,12 +5913,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -6425,12 +6426,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -6829,12 +6830,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -31085,6 +31086,12 @@ spec: - args: - /usr/local/bin/argocd-applicationset-controller env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -31149,6 +31156,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -31443,6 +31492,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: reposerver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -31784,6 +31839,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - configMap: + items: + - key: reposerver.profile.enabled + path: profiler.enabled + name: argocd-cmd-params-cm + optional: true + name: argocd-cmd-params-cm --- apiVersion: apps/v1 kind: StatefulSet @@ -31828,6 +31890,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: controller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -31896,6 +31964,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: controller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/manifests/crds/application-crd.yaml b/manifests/crds/application-crd.yaml index 022fb1d48b..cb47657f75 100644 --- a/manifests/crds/application-crd.yaml +++ b/manifests/crds/application-crd.yaml @@ -410,12 +410,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -799,12 +799,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -1298,11 +1298,11 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources + description: NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources + description: NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps type: string namespace: @@ -1675,12 +1675,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2086,12 +2086,12 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2645,12 +2645,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3038,12 +3038,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3190,6 +3190,7 @@ spec: observedAt: description: |- ObservedAt indicates when the application state was updated without querying latest git state + Deprecated: controller no longer updates ObservedAt field format: date-time type: string @@ -3586,12 +3587,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -3999,12 +4000,12 @@ spec: selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended - to resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended - to resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4529,12 +4530,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -4933,12 +4934,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -5458,12 +5459,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -5911,12 +5912,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -6424,12 +6425,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -6828,12 +6829,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize diff --git a/manifests/dev-tilt/kustomization.yaml b/manifests/dev-tilt/kustomization.yaml index d5eb1926ca..2ee05f75ea 100644 --- a/manifests/dev-tilt/kustomization.yaml +++ b/manifests/dev-tilt/kustomization.yaml @@ -13,9 +13,6 @@ patches: kind: Deployment name: argocd-server patch: |- - - op: replace - path: /spec/template/spec/containers/0/image - value: argocd - op: remove path: /spec/template/spec/containers/0/securityContext - op: add @@ -30,9 +27,6 @@ patches: kind: Deployment name: argocd-repo-server patch: |- - - op: replace - path: /spec/template/spec/containers/0/image - value: argocd - op: replace path: /spec/template/spec/initContainers/0/image value: argocd-job @@ -52,9 +46,6 @@ patches: kind: Deployment name: argocd-commit-server patch: |- - - op: replace - path: /spec/template/spec/containers/0/image - value: argocd - op: remove path: /spec/template/spec/containers/0/securityContext - op: add @@ -69,9 +60,6 @@ patches: kind: StatefulSet name: argocd-application-controller patch: |- - - op: replace - path: /spec/template/spec/containers/0/image - value: argocd - op: remove path: /spec/template/spec/containers/0/securityContext - op: add @@ -96,9 +84,6 @@ patches: kind: Deployment name: argocd-notifications-controller patch: |- - - op: replace - path: /spec/template/spec/containers/0/image - value: argocd - op: remove path: /spec/template/spec/containers/0/securityContext - op: remove @@ -117,9 +102,6 @@ patches: kind: Deployment name: argocd-applicationset-controller patch: |- - - op: replace - path: /spec/template/spec/containers/0/image - value: argocd - op: remove path: /spec/template/spec/containers/0/securityContext - op: add diff --git a/manifests/ha/install-with-hydrator.yaml b/manifests/ha/install-with-hydrator.yaml index 7a14767821..9578c133fe 100644 --- a/manifests/ha/install-with-hydrator.yaml +++ b/manifests/ha/install-with-hydrator.yaml @@ -411,12 +411,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -800,12 +800,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -1299,11 +1299,11 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources + description: NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources + description: NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps type: string namespace: @@ -1676,12 +1676,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2087,12 +2087,12 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2646,12 +2646,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3039,12 +3039,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3191,6 +3191,7 @@ spec: observedAt: description: |- ObservedAt indicates when the application state was updated without querying latest git state + Deprecated: controller no longer updates ObservedAt field format: date-time type: string @@ -3587,12 +3588,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4000,12 +4001,12 @@ spec: selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended - to resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended - to resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4530,12 +4531,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -4934,12 +4935,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -5459,12 +5460,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -5912,12 +5913,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -6425,12 +6426,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -6829,12 +6830,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -32483,6 +32484,12 @@ spec: - args: - /usr/local/bin/argocd-applicationset-controller env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -32547,6 +32554,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -32754,6 +32803,12 @@ spec: - args: - /usr/local/bin/argocd-commit-server env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: commitserver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_COMMIT_SERVER_LISTEN_ADDRESS valueFrom: configMapKeyRef: @@ -32906,7 +32961,7 @@ spec: key: dexserver.disable.tls name: argocd-cmd-params-cm optional: true - image: ghcr.io/dexidp/dex:v2.43.0 + image: ghcr.io/dexidp/dex:v2.44.0 imagePullPolicy: Always name: dex ports: @@ -33244,6 +33299,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: reposerver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -33585,6 +33646,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - configMap: + items: + - key: reposerver.profile.enabled + path: profiler.enabled + name: argocd-cmd-params-cm + optional: true + name: argocd-cmd-params-cm --- apiVersion: apps/v1 kind: Deployment @@ -33629,6 +33697,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: server.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: @@ -33659,6 +33733,48 @@ spec: key: server.log.level name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: server.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: server.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: server.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_REPO_SERVER valueFrom: configMapKeyRef: @@ -34039,6 +34155,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: controller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -34107,6 +34229,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: controller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/manifests/ha/install.yaml b/manifests/ha/install.yaml index 8c4f0df344..877451489c 100644 --- a/manifests/ha/install.yaml +++ b/manifests/ha/install.yaml @@ -411,12 +411,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -800,12 +800,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -1299,11 +1299,11 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources + description: NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources + description: NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps type: string namespace: @@ -1676,12 +1676,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2087,12 +2087,12 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2646,12 +2646,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3039,12 +3039,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3191,6 +3191,7 @@ spec: observedAt: description: |- ObservedAt indicates when the application state was updated without querying latest git state + Deprecated: controller no longer updates ObservedAt field format: date-time type: string @@ -3587,12 +3588,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4000,12 +4001,12 @@ spec: selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended - to resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended - to resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4530,12 +4531,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -4934,12 +4935,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -5459,12 +5460,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -5912,12 +5913,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -6425,12 +6426,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -6829,12 +6830,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -32453,6 +32454,12 @@ spec: - args: - /usr/local/bin/argocd-applicationset-controller env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -32517,6 +32524,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -32742,7 +32791,7 @@ spec: key: dexserver.disable.tls name: argocd-cmd-params-cm optional: true - image: ghcr.io/dexidp/dex:v2.43.0 + image: ghcr.io/dexidp/dex:v2.44.0 imagePullPolicy: Always name: dex ports: @@ -33080,6 +33129,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: reposerver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -33421,6 +33476,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - configMap: + items: + - key: reposerver.profile.enabled + path: profiler.enabled + name: argocd-cmd-params-cm + optional: true + name: argocd-cmd-params-cm --- apiVersion: apps/v1 kind: Deployment @@ -33465,6 +33527,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: server.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: @@ -33495,6 +33563,48 @@ spec: key: server.log.level name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: server.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: server.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: server.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_REPO_SERVER valueFrom: configMapKeyRef: @@ -33875,6 +33985,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: controller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -33943,6 +34059,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: controller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/manifests/ha/namespace-install-with-hydrator.yaml b/manifests/ha/namespace-install-with-hydrator.yaml index 553b5712dc..322f4d26af 100644 --- a/manifests/ha/namespace-install-with-hydrator.yaml +++ b/manifests/ha/namespace-install-with-hydrator.yaml @@ -1731,6 +1731,12 @@ spec: - args: - /usr/local/bin/argocd-applicationset-controller env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -1795,6 +1801,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -2002,6 +2050,12 @@ spec: - args: - /usr/local/bin/argocd-commit-server env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: commitserver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_COMMIT_SERVER_LISTEN_ADDRESS valueFrom: configMapKeyRef: @@ -2154,7 +2208,7 @@ spec: key: dexserver.disable.tls name: argocd-cmd-params-cm optional: true - image: ghcr.io/dexidp/dex:v2.43.0 + image: ghcr.io/dexidp/dex:v2.44.0 imagePullPolicy: Always name: dex ports: @@ -2492,6 +2546,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: reposerver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -2833,6 +2893,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - configMap: + items: + - key: reposerver.profile.enabled + path: profiler.enabled + name: argocd-cmd-params-cm + optional: true + name: argocd-cmd-params-cm --- apiVersion: apps/v1 kind: Deployment @@ -2877,6 +2944,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: server.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: @@ -2907,6 +2980,48 @@ spec: key: server.log.level name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: server.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: server.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: server.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_REPO_SERVER valueFrom: configMapKeyRef: @@ -3287,6 +3402,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: controller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -3355,6 +3476,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: controller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/manifests/ha/namespace-install.yaml b/manifests/ha/namespace-install.yaml index 3d4895057d..5462f02301 100644 --- a/manifests/ha/namespace-install.yaml +++ b/manifests/ha/namespace-install.yaml @@ -1701,6 +1701,12 @@ spec: - args: - /usr/local/bin/argocd-applicationset-controller env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -1765,6 +1771,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -1990,7 +2038,7 @@ spec: key: dexserver.disable.tls name: argocd-cmd-params-cm optional: true - image: ghcr.io/dexidp/dex:v2.43.0 + image: ghcr.io/dexidp/dex:v2.44.0 imagePullPolicy: Always name: dex ports: @@ -2328,6 +2376,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: reposerver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -2669,6 +2723,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - configMap: + items: + - key: reposerver.profile.enabled + path: profiler.enabled + name: argocd-cmd-params-cm + optional: true + name: argocd-cmd-params-cm --- apiVersion: apps/v1 kind: Deployment @@ -2713,6 +2774,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: server.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: @@ -2743,6 +2810,48 @@ spec: key: server.log.level name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: server.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: server.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: server.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_REPO_SERVER valueFrom: configMapKeyRef: @@ -3123,6 +3232,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: controller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -3191,6 +3306,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: controller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/manifests/install-with-hydrator.yaml b/manifests/install-with-hydrator.yaml index b3ceda23e5..55152e31ce 100644 --- a/manifests/install-with-hydrator.yaml +++ b/manifests/install-with-hydrator.yaml @@ -411,12 +411,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -800,12 +800,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -1299,11 +1299,11 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources + description: NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources + description: NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps type: string namespace: @@ -1676,12 +1676,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2087,12 +2087,12 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2646,12 +2646,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3039,12 +3039,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3191,6 +3191,7 @@ spec: observedAt: description: |- ObservedAt indicates when the application state was updated without querying latest git state + Deprecated: controller no longer updates ObservedAt field format: date-time type: string @@ -3587,12 +3588,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4000,12 +4001,12 @@ spec: selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended - to resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended - to resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4530,12 +4531,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -4934,12 +4935,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -5459,12 +5460,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -5912,12 +5913,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -6425,12 +6426,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -6829,12 +6830,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -31561,6 +31562,12 @@ spec: - args: - /usr/local/bin/argocd-applicationset-controller env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -31625,6 +31632,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -31832,6 +31881,12 @@ spec: - args: - /usr/local/bin/argocd-commit-server env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: commitserver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_COMMIT_SERVER_LISTEN_ADDRESS valueFrom: configMapKeyRef: @@ -31984,7 +32039,7 @@ spec: key: dexserver.disable.tls name: argocd-cmd-params-cm optional: true - image: ghcr.io/dexidp/dex:v2.43.0 + image: ghcr.io/dexidp/dex:v2.44.0 imagePullPolicy: Always name: dex ports: @@ -32274,6 +32329,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: reposerver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -32615,6 +32676,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - configMap: + items: + - key: reposerver.profile.enabled + path: profiler.enabled + name: argocd-cmd-params-cm + optional: true + name: argocd-cmd-params-cm --- apiVersion: apps/v1 kind: Deployment @@ -32657,6 +32725,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: server.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: @@ -32687,6 +32761,48 @@ spec: key: server.log.level name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: server.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: server.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: server.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_REPO_SERVER valueFrom: configMapKeyRef: @@ -33067,6 +33183,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: controller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -33135,6 +33257,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: controller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/manifests/install.yaml b/manifests/install.yaml index 8e061e9a89..fc865d8e7b 100644 --- a/manifests/install.yaml +++ b/manifests/install.yaml @@ -411,12 +411,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -800,12 +800,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -1299,11 +1299,11 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources + description: NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources + description: NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps type: string namespace: @@ -1676,12 +1676,12 @@ spec: apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2087,12 +2087,12 @@ spec: common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in the + kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in the + kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -2646,12 +2646,12 @@ spec: to apply common labels to resource selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3039,12 +3039,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -3191,6 +3191,7 @@ spec: observedAt: description: |- ObservedAt indicates when the application state was updated without querying latest git state + Deprecated: controller no longer updates ObservedAt field format: date-time type: string @@ -3587,12 +3588,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4000,12 +4001,12 @@ spec: selectors or not type: boolean namePrefix: - description: NamePrefix is a prefix appended - to resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended - to resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -4530,12 +4531,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -4934,12 +4935,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -5459,12 +5460,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -5912,12 +5913,12 @@ spec: or not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that @@ -6425,12 +6426,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to resources - for Kustomize apps + description: NamePrefix overrides the namePrefix in + the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to resources - for Kustomize apps + description: NameSuffix overrides the nameSuffix in + the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -6829,12 +6830,12 @@ spec: not type: boolean namePrefix: - description: NamePrefix is a prefix appended to - resources for Kustomize apps + description: NamePrefix overrides the namePrefix + in the kustomization.yaml for Kustomize apps type: string nameSuffix: - description: NameSuffix is a suffix appended to - resources for Kustomize apps + description: NameSuffix overrides the nameSuffix + in the kustomization.yaml for Kustomize apps type: string namespace: description: Namespace sets the namespace that Kustomize @@ -31529,6 +31530,12 @@ spec: - args: - /usr/local/bin/argocd-applicationset-controller env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -31593,6 +31600,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -31818,7 +31867,7 @@ spec: key: dexserver.disable.tls name: argocd-cmd-params-cm optional: true - image: ghcr.io/dexidp/dex:v2.43.0 + image: ghcr.io/dexidp/dex:v2.44.0 imagePullPolicy: Always name: dex ports: @@ -32108,6 +32157,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: reposerver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -32449,6 +32504,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - configMap: + items: + - key: reposerver.profile.enabled + path: profiler.enabled + name: argocd-cmd-params-cm + optional: true + name: argocd-cmd-params-cm --- apiVersion: apps/v1 kind: Deployment @@ -32491,6 +32553,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: server.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: @@ -32521,6 +32589,48 @@ spec: key: server.log.level name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: server.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: server.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: server.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_REPO_SERVER valueFrom: configMapKeyRef: @@ -32901,6 +33011,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: controller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -32969,6 +33085,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: controller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/manifests/namespace-install-with-hydrator.yaml b/manifests/namespace-install-with-hydrator.yaml index eac93a570c..6beafa6de0 100644 --- a/manifests/namespace-install-with-hydrator.yaml +++ b/manifests/namespace-install-with-hydrator.yaml @@ -809,6 +809,12 @@ spec: - args: - /usr/local/bin/argocd-applicationset-controller env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -873,6 +879,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -1080,6 +1128,12 @@ spec: - args: - /usr/local/bin/argocd-commit-server env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: commitserver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_COMMIT_SERVER_LISTEN_ADDRESS valueFrom: configMapKeyRef: @@ -1232,7 +1286,7 @@ spec: key: dexserver.disable.tls name: argocd-cmd-params-cm optional: true - image: ghcr.io/dexidp/dex:v2.43.0 + image: ghcr.io/dexidp/dex:v2.44.0 imagePullPolicy: Always name: dex ports: @@ -1522,6 +1576,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: reposerver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -1863,6 +1923,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - configMap: + items: + - key: reposerver.profile.enabled + path: profiler.enabled + name: argocd-cmd-params-cm + optional: true + name: argocd-cmd-params-cm --- apiVersion: apps/v1 kind: Deployment @@ -1905,6 +1972,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: server.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: @@ -1935,6 +2008,48 @@ spec: key: server.log.level name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: server.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: server.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: server.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_REPO_SERVER valueFrom: configMapKeyRef: @@ -2315,6 +2430,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: controller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -2383,6 +2504,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: controller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/manifests/namespace-install.yaml b/manifests/namespace-install.yaml index 8d94719590..371f0eb96d 100644 --- a/manifests/namespace-install.yaml +++ b/manifests/namespace-install.yaml @@ -777,6 +777,12 @@ spec: - args: - /usr/local/bin/argocd-applicationset-controller env: + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_GLOBAL_PRESERVED_ANNOTATIONS valueFrom: configMapKeyRef: @@ -841,6 +847,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: applicationsetcontroller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN valueFrom: configMapKeyRef: @@ -1066,7 +1114,7 @@ spec: key: dexserver.disable.tls name: argocd-cmd-params-cm optional: true - image: ghcr.io/dexidp/dex:v2.43.0 + image: ghcr.io/dexidp/dex:v2.44.0 imagePullPolicy: Always name: dex ports: @@ -1356,6 +1404,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: reposerver.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_RECONCILIATION_TIMEOUT valueFrom: configMapKeyRef: @@ -1697,6 +1751,13 @@ spec: name: var-files - emptyDir: {} name: plugins + - configMap: + items: + - key: reposerver.profile.enabled + path: profiler.enabled + name: argocd-cmd-params-cm + optional: true + name: argocd-cmd-params-cm --- apiVersion: apps/v1 kind: Deployment @@ -1739,6 +1800,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: server.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_INSECURE valueFrom: configMapKeyRef: @@ -1769,6 +1836,48 @@ spec: key: server.log.level name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: server.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: server.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: server.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: server.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_SERVER_REPO_SERVER valueFrom: configMapKeyRef: @@ -2149,6 +2258,12 @@ spec: secretKeyRef: key: auth name: argocd-redis + - name: GRPC_ENABLE_TXT_SERVICE_CONFIG + valueFrom: + configMapKeyRef: + key: controller.grpc.enable.txt.service.config + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_CONTROLLER_REPLICAS value: "1" - name: ARGOCD_RECONCILIATION_TIMEOUT @@ -2217,6 +2332,48 @@ spec: key: log.format.timestamp name: argocd-cmd-params-cm optional: true + - name: ARGOCD_K8S_CLIENT_QPS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.qps + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_BURST + valueFrom: + configMapKeyRef: + key: controller.k8s.client.burst + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_CLIENT_MAX_IDLE_CONNECTIONS + valueFrom: + configMapKeyRef: + key: controller.k8s.client.max.idle.connections + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_KEEPALIVE + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.keepalive + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TLS_HANDSHAKE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tls.handshake.timeout + name: argocd-cmd-params-cm + optional: true + - name: ARGOCD_K8S_TCP_IDLE_TIMEOUT + valueFrom: + configMapKeyRef: + key: controller.k8s.tcp.idle.timeout + name: argocd-cmd-params-cm + optional: true - name: ARGOCD_APPLICATION_CONTROLLER_METRICS_CACHE_EXPIRATION valueFrom: configMapKeyRef: diff --git a/mkdocs.yml b/mkdocs.yml index 9acaa817bc..0e99b9a713 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -86,6 +86,7 @@ nav: - operator-manual/notifications/services/googlechat.md - operator-manual/notifications/services/grafana.md - operator-manual/notifications/services/mattermost.md + - operator-manual/notifications/services/nats.md - operator-manual/notifications/services/newrelic.md - operator-manual/notifications/services/opsgenie.md - operator-manual/notifications/services/overview.md diff --git a/pkg/apiclient/apiclient_test.go b/pkg/apiclient/apiclient_test.go index 54a35f9deb..8f49801f60 100644 --- a/pkg/apiclient/apiclient_test.go +++ b/pkg/apiclient/apiclient_test.go @@ -178,17 +178,15 @@ func TestExecuteRequest_ConcurrentErrorRequests_NoConnectionLeak(t *testing.T) { iterations := 5 var wg sync.WaitGroup - for iter := 0; iter < iterations; iter++ { - for i := 0; i < concurrency; i++ { - wg.Add(1) - go func() { - defer wg.Done() + for range iterations { + for range concurrency { + wg.Go(func() { ctx := context.Background() md := metadata.New(map[string]string{}) _, err := c.executeRequest(ctx, "/application.ApplicationService/ManagedResources", []byte("test"), md) // We expect errors assert.Error(t, err) - }() + }) } wg.Wait() } diff --git a/pkg/apiclient/application/forwarder_overwrite.go b/pkg/apiclient/application/forwarder_overwrite.go index fcaecce0de..76f4fb1440 100644 --- a/pkg/apiclient/application/forwarder_overwrite.go +++ b/pkg/apiclient/application/forwarder_overwrite.go @@ -87,7 +87,7 @@ func processApplicationListField(v any, fields map[string]any, exclude bool) (an } parts := strings.Split(field, ".") item := converted - for i := 0; i < len(parts); i++ { + for i := range parts { subField := parts[i] if i == len(parts)-1 { item[subField] = value diff --git a/pkg/apis/application/v1alpha1/app_project_types.go b/pkg/apis/application/v1alpha1/app_project_types.go index 85f6a204ea..0f2d268a86 100644 --- a/pkg/apis/application/v1alpha1/app_project_types.go +++ b/pkg/apis/application/v1alpha1/app_project_types.go @@ -2,6 +2,7 @@ package v1alpha1 import ( "fmt" + "slices" "sort" "strconv" "strings" @@ -332,10 +333,8 @@ func (proj *AppProject) AddGroupToRole(roleName, group string) (bool, error) { if err != nil { return false, err } - for _, roleGroup := range role.Groups { - if group == roleGroup { - return false, nil - } + if slices.Contains(role.Groups, group) { + return false, nil } role.Groups = append(role.Groups, group) proj.Spec.Roles[roleIndex] = *role diff --git a/pkg/apis/application/v1alpha1/applicationset_types.go b/pkg/apis/application/v1alpha1/applicationset_types.go index f8af9f9240..42123edee4 100644 --- a/pkg/apis/application/v1alpha1/applicationset_types.go +++ b/pkg/apis/application/v1alpha1/applicationset_types.go @@ -20,7 +20,7 @@ import ( "encoding/json" "sort" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" diff --git a/pkg/apis/application/v1alpha1/applicationset_types_test.go b/pkg/apis/application/v1alpha1/applicationset_types_test.go index 5bafd90512..38d080b8c2 100644 --- a/pkg/apis/application/v1alpha1/applicationset_types_test.go +++ b/pkg/apis/application/v1alpha1/applicationset_types_test.go @@ -4,7 +4,7 @@ import ( "testing" "time" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" "github.com/stretchr/testify/assert" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/utils/ptr" diff --git a/pkg/apis/application/v1alpha1/generated.pb.go b/pkg/apis/application/v1alpha1/generated.pb.go index e4ce23836d..3a025aee85 100644 --- a/pkg/apis/application/v1alpha1/generated.pb.go +++ b/pkg/apis/application/v1alpha1/generated.pb.go @@ -6,8 +6,8 @@ package v1alpha1 import ( fmt "fmt" - github_com_argoproj_gitops_engine_pkg_health "github.com/argoproj/gitops-engine/pkg/health" - github_com_argoproj_gitops_engine_pkg_sync_common "github.com/argoproj/gitops-engine/pkg/sync/common" + github_com_argoproj_argo_cd_gitops_engine_pkg_health "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + github_com_argoproj_argo_cd_gitops_engine_pkg_sync_common "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" io "io" @@ -4943,788 +4943,788 @@ func init() { } var fileDescriptor_c078c3c476799f44 = []byte{ - // 12489 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0xbd, 0x7d, 0x70, 0x24, 0xdb, - 0x55, 0x18, 0xee, 0x9e, 0xd1, 0x48, 0x33, 0x47, 0x1f, 0xbb, 0xba, 0xbb, 0xfb, 0x9e, 0x76, 0xdf, - 0x87, 0x96, 0x7e, 0xf0, 0x6c, 0x7e, 0x7e, 0x96, 0xf0, 0xda, 0xcf, 0xbc, 0x1f, 0x0f, 0x0c, 0xfa, - 0xd8, 0x0f, 0xed, 0x4a, 0x2b, 0xf9, 0x8e, 0x76, 0x17, 0x7f, 0x3c, 0xdb, 0xad, 0x9e, 0x2b, 0xa9, - 0x57, 0x3d, 0xdd, 0xf3, 0xba, 0x7b, 0xb4, 0x9a, 0x87, 0x31, 0x36, 0xb6, 0xc1, 0x60, 0x63, 0xbf, - 0x40, 0x0a, 0x1e, 0x49, 0x4c, 0x4c, 0x20, 0x1f, 0x55, 0x29, 0x0a, 0x12, 0xfe, 0x08, 0x15, 0xa0, - 0xa8, 0x00, 0x45, 0x41, 0x85, 0x04, 0x42, 0x11, 0x20, 0x01, 0x14, 0x7b, 0x93, 0x14, 0x54, 0xaa, - 0x42, 0x15, 0x49, 0xfe, 0x48, 0x6d, 0x52, 0x54, 0xea, 0x7e, 0xdf, 0xee, 0xe9, 0x91, 0x46, 0x3b, - 0x2d, 0xed, 0x1a, 0xde, 0x7f, 0x33, 0xf7, 0x9c, 0x3e, 0xe7, 0xf6, 0xed, 0x7b, 0xcf, 0x39, 0xf7, - 0xdc, 0x73, 0xce, 0x85, 0xe5, 0x2d, 0x2f, 0xd9, 0x6e, 0x6f, 0xcc, 0xb8, 0x61, 0x73, 0xd6, 0x89, - 0xb6, 0xc2, 0x56, 0x14, 0xde, 0x65, 0x3f, 0xde, 0xe1, 0x36, 0x66, 0x77, 0xdf, 0x35, 0xdb, 0xda, - 0xd9, 0x9a, 0x75, 0x5a, 0x5e, 0x3c, 0xeb, 0xb4, 0x5a, 0xbe, 0xe7, 0x3a, 0x89, 0x17, 0x06, 0xb3, - 0xbb, 0xef, 0x74, 0xfc, 0xd6, 0xb6, 0xf3, 0xce, 0xd9, 0x2d, 0x12, 0x90, 0xc8, 0x49, 0x48, 0x63, - 0xa6, 0x15, 0x85, 0x49, 0x88, 0xbe, 0x55, 0x53, 0x9b, 0x91, 0xd4, 0xd8, 0x8f, 0x8f, 0xb8, 0x8d, - 0x99, 0xdd, 0x77, 0xcd, 0xb4, 0x76, 0xb6, 0x66, 0x28, 0xb5, 0x19, 0x83, 0xda, 0x8c, 0xa4, 0x76, - 0xe1, 0x1d, 0x46, 0x5f, 0xb6, 0xc2, 0xad, 0x70, 0x96, 0x11, 0xdd, 0x68, 0x6f, 0xb2, 0x7f, 0xec, - 0x0f, 0xfb, 0xc5, 0x99, 0x5d, 0xb0, 0x77, 0x5e, 0x8a, 0x67, 0xbc, 0x90, 0x76, 0x6f, 0xd6, 0x0d, - 0x23, 0x32, 0xbb, 0xdb, 0xd5, 0xa1, 0x0b, 0xd7, 0x34, 0x0e, 0xd9, 0x4b, 0x48, 0x10, 0x7b, 0x61, - 0x10, 0xbf, 0x83, 0x76, 0x81, 0x44, 0xbb, 0x24, 0x32, 0x5f, 0xcf, 0x40, 0xc8, 0xa3, 0xf4, 0x6e, - 0x4d, 0xa9, 0xe9, 0xb8, 0xdb, 0x5e, 0x40, 0xa2, 0x8e, 0x7e, 0xbc, 0x49, 0x12, 0x27, 0xef, 0xa9, - 0xd9, 0x5e, 0x4f, 0x45, 0xed, 0x20, 0xf1, 0x9a, 0xa4, 0xeb, 0x81, 0xf7, 0x1c, 0xf6, 0x40, 0xec, - 0x6e, 0x93, 0xa6, 0xd3, 0xf5, 0xdc, 0xbb, 0x7a, 0x3d, 0xd7, 0x4e, 0x3c, 0x7f, 0xd6, 0x0b, 0x92, - 0x38, 0x89, 0xb2, 0x0f, 0xd9, 0x7f, 0xcf, 0x82, 0xf1, 0xb9, 0x3b, 0xf5, 0xb9, 0x76, 0xb2, 0xbd, - 0x10, 0x06, 0x9b, 0xde, 0x16, 0x7a, 0x11, 0x46, 0x5d, 0xbf, 0x1d, 0x27, 0x24, 0xba, 0xe9, 0x34, - 0xc9, 0x94, 0x75, 0xd1, 0x7a, 0x5b, 0x6d, 0xfe, 0xcc, 0x6f, 0xee, 0x4f, 0xbf, 0xe5, 0xfe, 0xfe, - 0xf4, 0xe8, 0x82, 0x06, 0x61, 0x13, 0x0f, 0x7d, 0x23, 0x8c, 0x44, 0xa1, 0x4f, 0xe6, 0xf0, 0xcd, - 0xa9, 0x12, 0x7b, 0xe4, 0x94, 0x78, 0x64, 0x04, 0xf3, 0x66, 0x2c, 0xe1, 0x14, 0xb5, 0x15, 0x85, - 0x9b, 0x9e, 0x4f, 0xa6, 0xca, 0x69, 0xd4, 0x35, 0xde, 0x8c, 0x25, 0xdc, 0xfe, 0xf1, 0x12, 0x9c, - 0x9a, 0x6b, 0xb5, 0xae, 0x11, 0xc7, 0x4f, 0xb6, 0xeb, 0x89, 0x93, 0xb4, 0x63, 0xb4, 0x05, 0xc3, - 0x31, 0xfb, 0x25, 0xfa, 0xb6, 0x2a, 0x9e, 0x1e, 0xe6, 0xf0, 0x07, 0xfb, 0xd3, 0xdf, 0x96, 0x37, - 0xa3, 0xb7, 0xbc, 0x24, 0x6c, 0xc5, 0xef, 0x20, 0xc1, 0x96, 0x17, 0x10, 0x36, 0x2e, 0xdb, 0x8c, - 0xea, 0x8c, 0x49, 0x7c, 0x21, 0x6c, 0x10, 0x2c, 0xc8, 0xd3, 0x7e, 0x36, 0x49, 0x1c, 0x3b, 0x5b, - 0x24, 0xfb, 0x4a, 0x2b, 0xbc, 0x19, 0x4b, 0x38, 0x8a, 0x00, 0xf9, 0x4e, 0x9c, 0xac, 0x47, 0x4e, - 0x10, 0x7b, 0x74, 0x4a, 0xaf, 0x7b, 0x4d, 0xfe, 0x76, 0xa3, 0x97, 0xfe, 0xbf, 0x19, 0xfe, 0x61, - 0x66, 0xcc, 0x0f, 0xa3, 0xd7, 0x01, 0x9d, 0x37, 0x33, 0xbb, 0xef, 0x9c, 0xa1, 0x4f, 0xcc, 0x3f, - 0x71, 0x7f, 0x7f, 0x1a, 0x2d, 0x77, 0x51, 0xc2, 0x39, 0xd4, 0xed, 0x3f, 0x28, 0x01, 0xcc, 0xb5, - 0x5a, 0x6b, 0x51, 0x78, 0x97, 0xb8, 0x09, 0xfa, 0x28, 0x54, 0x29, 0xa9, 0x86, 0x93, 0x38, 0x6c, - 0x60, 0x46, 0x2f, 0x7d, 0x53, 0x7f, 0x8c, 0x57, 0x37, 0xe8, 0xf3, 0x2b, 0x24, 0x71, 0xe6, 0x91, - 0x78, 0x41, 0xd0, 0x6d, 0x58, 0x51, 0x45, 0x01, 0x0c, 0xc5, 0x2d, 0xe2, 0xb2, 0xc1, 0x18, 0xbd, - 0xb4, 0x3c, 0x33, 0xc8, 0x4a, 0x9f, 0xd1, 0x3d, 0xaf, 0xb7, 0x88, 0x3b, 0x3f, 0x26, 0x38, 0x0f, - 0xd1, 0x7f, 0x98, 0xf1, 0x41, 0xbb, 0xea, 0x43, 0xf3, 0x81, 0xbc, 0x59, 0x18, 0x47, 0x46, 0x75, - 0x7e, 0x22, 0x3d, 0x71, 0xe4, 0x77, 0xb7, 0xff, 0xd4, 0x82, 0x09, 0x8d, 0xbc, 0xec, 0xc5, 0x09, - 0xfa, 0x50, 0xd7, 0xe0, 0xce, 0xf4, 0x37, 0xb8, 0xf4, 0x69, 0x36, 0xb4, 0xa7, 0x05, 0xb3, 0xaa, - 0x6c, 0x31, 0x06, 0xb6, 0x09, 0x15, 0x2f, 0x21, 0xcd, 0x78, 0xaa, 0x74, 0xb1, 0xfc, 0xb6, 0xd1, - 0x4b, 0xd7, 0x8a, 0x7a, 0xcf, 0xf9, 0x71, 0xc1, 0xb4, 0xb2, 0x44, 0xc9, 0x63, 0xce, 0xc5, 0xfe, - 0xed, 0x09, 0xf3, 0xfd, 0xe8, 0x80, 0xa3, 0x77, 0xc2, 0x68, 0x1c, 0xb6, 0x23, 0x97, 0x60, 0xd2, - 0x0a, 0xe9, 0xc2, 0x2a, 0xd3, 0xe9, 0x4e, 0x17, 0x7c, 0x5d, 0x37, 0x63, 0x13, 0x07, 0x7d, 0xc1, - 0x82, 0xb1, 0x06, 0x89, 0x13, 0x2f, 0x60, 0xfc, 0x65, 0xe7, 0xd7, 0x07, 0xee, 0xbc, 0x6c, 0x5c, - 0xd4, 0xc4, 0xe7, 0xcf, 0x8a, 0x17, 0x19, 0x33, 0x1a, 0x63, 0x9c, 0xe2, 0x4f, 0x05, 0x57, 0x83, - 0xc4, 0x6e, 0xe4, 0xb5, 0xe8, 0x7f, 0x21, 0x5a, 0x94, 0xe0, 0x5a, 0xd4, 0x20, 0x6c, 0xe2, 0xa1, - 0x00, 0x2a, 0x54, 0x30, 0xc5, 0x53, 0x43, 0xac, 0xff, 0x4b, 0x83, 0xf5, 0x5f, 0x0c, 0x2a, 0x95, - 0x79, 0x7a, 0xf4, 0xe9, 0xbf, 0x18, 0x73, 0x36, 0xe8, 0x5f, 0x5a, 0x30, 0x25, 0x04, 0x27, 0x26, - 0x7c, 0x40, 0xef, 0x6c, 0x7b, 0x09, 0xf1, 0xbd, 0x38, 0x99, 0xaa, 0xb0, 0x3e, 0x7c, 0x68, 0xb0, - 0x3e, 0x2c, 0xa4, 0xa9, 0x63, 0x12, 0x27, 0x91, 0xe7, 0x52, 0x1c, 0x3a, 0x0d, 0xe6, 0x2f, 0x8a, - 0x6e, 0x4d, 0x2d, 0xf4, 0xe8, 0x05, 0xee, 0xd9, 0x3f, 0xf4, 0x23, 0x16, 0x5c, 0x08, 0x9c, 0x26, - 0x89, 0x5b, 0x0e, 0x23, 0xcc, 0xc0, 0xf3, 0xbe, 0xe3, 0xee, 0xb0, 0xee, 0x0f, 0xb3, 0xee, 0xcf, - 0xf6, 0xb7, 0x34, 0xae, 0x46, 0x61, 0xbb, 0x75, 0xc3, 0x0b, 0x1a, 0xf3, 0xb6, 0xe8, 0xd1, 0x85, - 0x9b, 0x3d, 0x49, 0xe3, 0x03, 0xd8, 0xa2, 0x9f, 0xb2, 0x60, 0x32, 0x8c, 0x5a, 0xdb, 0x4e, 0x40, - 0x1a, 0x12, 0x1a, 0x4f, 0x8d, 0xb0, 0x75, 0xfa, 0xe1, 0xc1, 0xc6, 0x72, 0x35, 0x4b, 0x76, 0x25, - 0x0c, 0xbc, 0x24, 0x8c, 0xea, 0x24, 0x49, 0xbc, 0x60, 0x2b, 0x9e, 0x3f, 0x77, 0x7f, 0x7f, 0x7a, - 0xb2, 0x0b, 0x0b, 0x77, 0xf7, 0x07, 0x7d, 0x17, 0x8c, 0xc6, 0x9d, 0xc0, 0xbd, 0xe3, 0x05, 0x8d, - 0xf0, 0x5e, 0x3c, 0x55, 0x2d, 0x62, 0xad, 0xd7, 0x15, 0x41, 0xb1, 0x5a, 0x35, 0x03, 0x6c, 0x72, - 0xcb, 0xff, 0x70, 0x7a, 0xde, 0xd5, 0x8a, 0xfe, 0x70, 0x7a, 0x32, 0x1d, 0xc0, 0x16, 0x7d, 0xbf, - 0x05, 0xe3, 0xb1, 0xb7, 0x15, 0x38, 0x49, 0x3b, 0x22, 0x37, 0x48, 0x27, 0x9e, 0x02, 0xd6, 0x91, - 0xeb, 0x03, 0x8e, 0x8a, 0x41, 0x72, 0xfe, 0x9c, 0xe8, 0xe3, 0xb8, 0xd9, 0x1a, 0xe3, 0x34, 0xdf, - 0xbc, 0x55, 0xa9, 0xa7, 0xf5, 0xe8, 0x23, 0x5c, 0x95, 0x7a, 0x05, 0xf4, 0xec, 0x1f, 0xfa, 0x0e, - 0x38, 0xcd, 0x9b, 0xd4, 0x67, 0x88, 0xa7, 0xc6, 0x98, 0x08, 0x3f, 0x7b, 0x7f, 0x7f, 0xfa, 0x74, - 0x3d, 0x03, 0xc3, 0x5d, 0xd8, 0xe8, 0x55, 0x98, 0x6e, 0x91, 0xa8, 0xe9, 0x25, 0xab, 0x81, 0xdf, - 0x91, 0x8a, 0xc1, 0x0d, 0x5b, 0xa4, 0x21, 0xba, 0x13, 0x4f, 0x8d, 0x5f, 0xb4, 0xde, 0x56, 0x9d, - 0x7f, 0xab, 0xe8, 0xe6, 0xf4, 0xda, 0xc1, 0xe8, 0xf8, 0x30, 0x7a, 0xe8, 0x37, 0x2c, 0xb8, 0x60, - 0xc8, 0xef, 0x3a, 0x89, 0x76, 0x3d, 0x97, 0xcc, 0xb9, 0x6e, 0xd8, 0x0e, 0x92, 0x78, 0x6a, 0x82, - 0x8d, 0xf9, 0xc6, 0x71, 0x68, 0x93, 0x34, 0x2b, 0x3d, 0x89, 0x7b, 0xa2, 0xc4, 0xf8, 0x80, 0x9e, - 0xda, 0xbf, 0x55, 0x82, 0xd3, 0x59, 0xdb, 0x02, 0xfd, 0x23, 0x0b, 0x4e, 0xdd, 0xbd, 0x97, 0xac, - 0x87, 0x3b, 0x24, 0x88, 0xe7, 0x3b, 0x54, 0x03, 0x30, 0xad, 0x3a, 0x7a, 0xc9, 0x2d, 0xd6, 0x8a, - 0x99, 0xb9, 0x9e, 0xe6, 0x72, 0x39, 0x48, 0xa2, 0xce, 0xfc, 0x93, 0xe2, 0x9d, 0x4e, 0x5d, 0xbf, - 0xb3, 0x6e, 0x42, 0x71, 0xb6, 0x53, 0x17, 0x3e, 0x67, 0xc1, 0xd9, 0x3c, 0x12, 0xe8, 0x34, 0x94, - 0x77, 0x48, 0x87, 0xdb, 0xd8, 0x98, 0xfe, 0x44, 0xaf, 0x40, 0x65, 0xd7, 0xf1, 0xdb, 0x44, 0x18, - 0x80, 0x57, 0x07, 0x7b, 0x11, 0xd5, 0x33, 0xcc, 0xa9, 0x7e, 0x4b, 0xe9, 0x25, 0xcb, 0xfe, 0x9d, - 0x32, 0x8c, 0x1a, 0x1f, 0xed, 0x04, 0x8c, 0xda, 0x30, 0x65, 0xd4, 0xae, 0x14, 0x36, 0xdf, 0x7a, - 0x5a, 0xb5, 0xf7, 0x32, 0x56, 0xed, 0x6a, 0x71, 0x2c, 0x0f, 0x34, 0x6b, 0x51, 0x02, 0xb5, 0xb0, - 0x45, 0x37, 0x7f, 0xd4, 0x3a, 0x1a, 0x2a, 0xe2, 0x13, 0xae, 0x4a, 0x72, 0xf3, 0xe3, 0xf7, 0xf7, - 0xa7, 0x6b, 0xea, 0x2f, 0xd6, 0x8c, 0xec, 0x3f, 0xb4, 0xe0, 0xac, 0xd1, 0xc7, 0x85, 0x30, 0x68, - 0xb0, 0x2d, 0x0c, 0xba, 0x08, 0x43, 0x49, 0xa7, 0x25, 0x37, 0x98, 0x6a, 0xa4, 0xd6, 0x3b, 0x2d, - 0x82, 0x19, 0xe4, 0x71, 0xdf, 0x7f, 0xfd, 0x88, 0x05, 0x4f, 0xe4, 0x0b, 0x18, 0xf4, 0x3c, 0x0c, - 0x73, 0xef, 0x82, 0x78, 0x3b, 0xfd, 0x49, 0x58, 0x2b, 0x16, 0x50, 0x34, 0x0b, 0x35, 0xa5, 0x1d, - 0xc5, 0x3b, 0x4e, 0x0a, 0xd4, 0x9a, 0x56, 0xa9, 0x1a, 0x87, 0x0e, 0x1a, 0xfd, 0x23, 0x8c, 0x5b, - 0x35, 0x68, 0x6c, 0x3b, 0xce, 0x20, 0xf6, 0xef, 0x5b, 0xf0, 0xf5, 0xfd, 0x88, 0xbd, 0xe3, 0xeb, - 0x63, 0x1d, 0xce, 0x35, 0xc8, 0xa6, 0xd3, 0xf6, 0x93, 0x34, 0x47, 0xd1, 0xe9, 0x67, 0xc4, 0xc3, - 0xe7, 0x16, 0xf3, 0x90, 0x70, 0xfe, 0xb3, 0xf6, 0x7f, 0xb2, 0x98, 0x23, 0x40, 0xbe, 0xd6, 0x09, - 0x6c, 0xca, 0x82, 0xf4, 0xa6, 0x6c, 0xa9, 0xb0, 0x65, 0xda, 0x63, 0x57, 0xf6, 0x43, 0x16, 0x5c, - 0x30, 0xb0, 0x56, 0x9c, 0xc4, 0xdd, 0xbe, 0xbc, 0xd7, 0x8a, 0x48, 0x1c, 0xd3, 0x29, 0xf5, 0x8c, - 0x21, 0x8e, 0xe7, 0x47, 0x05, 0x85, 0xf2, 0x0d, 0xd2, 0xe1, 0xb2, 0xf9, 0x05, 0xa8, 0xf2, 0x35, - 0x17, 0x46, 0xe2, 0x23, 0xa9, 0x77, 0x5b, 0x15, 0xed, 0x58, 0x61, 0x20, 0x1b, 0x86, 0x99, 0xcc, - 0xa5, 0x32, 0x88, 0x9a, 0x09, 0x40, 0xbf, 0xfb, 0x6d, 0xd6, 0x82, 0x05, 0xc4, 0x8e, 0x53, 0xdd, - 0x59, 0x8b, 0x08, 0x9b, 0x0f, 0x8d, 0x2b, 0x1e, 0xf1, 0x1b, 0x31, 0xdd, 0x30, 0x3a, 0x41, 0x10, - 0x26, 0x62, 0xef, 0x67, 0x6c, 0x18, 0xe7, 0x74, 0x33, 0x36, 0x71, 0x28, 0x53, 0xdf, 0xd9, 0x20, - 0x3e, 0x1f, 0x51, 0xc1, 0x74, 0x99, 0xb5, 0x60, 0x01, 0xb1, 0xef, 0x97, 0xd8, 0xd6, 0x54, 0x49, - 0x34, 0x72, 0x12, 0x7e, 0x8d, 0x28, 0xa5, 0x02, 0xd6, 0x8a, 0x93, 0xc7, 0xa4, 0xb7, 0x6f, 0xe3, - 0xb5, 0x8c, 0x16, 0xc0, 0x85, 0x72, 0x3d, 0xd8, 0xbf, 0xf1, 0xa5, 0x32, 0x4c, 0xa7, 0x1f, 0xe8, - 0x52, 0x22, 0x74, 0x33, 0x6d, 0x30, 0xca, 0x7a, 0x01, 0x0d, 0x7c, 0x6c, 0xe2, 0xf5, 0x90, 0xc3, - 0xa5, 0xe3, 0x94, 0xc3, 0xa6, 0x9a, 0x28, 0x1f, 0xa2, 0x26, 0x16, 0xd4, 0xa8, 0x0f, 0x31, 0xcc, - 0xb7, 0x77, 0xb9, 0x0e, 0xcf, 0xaf, 0x45, 0xe1, 0x16, 0x5b, 0x73, 0xbb, 0x84, 0x6e, 0xa6, 0x72, - 0xdc, 0x82, 0x17, 0x61, 0x28, 0x4e, 0x48, 0x6b, 0xaa, 0x92, 0x96, 0xc1, 0xf5, 0x84, 0xb4, 0x30, - 0x83, 0xa0, 0x6f, 0x83, 0x53, 0x89, 0x13, 0x6d, 0x91, 0x24, 0x22, 0xbb, 0x1e, 0x73, 0x27, 0xb3, - 0x9d, 0x71, 0x6d, 0xfe, 0x0c, 0x35, 0xc9, 0xd6, 0x19, 0x08, 0x4b, 0x10, 0xce, 0xe2, 0xda, 0xff, - 0xad, 0x04, 0x4f, 0xa6, 0xbf, 0x8f, 0xd6, 0x9a, 0xdf, 0x9e, 0xd2, 0x9a, 0x6f, 0x37, 0xb5, 0xe6, - 0x83, 0xfd, 0xe9, 0xa7, 0x7a, 0x3c, 0xf6, 0x35, 0xa3, 0x54, 0xd1, 0xd5, 0xcc, 0x17, 0x9a, 0xed, - 0xfa, 0x42, 0xcf, 0xf4, 0x78, 0xc7, 0x8c, 0xb5, 0xf3, 0x3c, 0x0c, 0x47, 0xc4, 0x89, 0xc3, 0x40, - 0x7c, 0x27, 0xb5, 0x18, 0x30, 0x6b, 0xc5, 0x02, 0x6a, 0xff, 0x5e, 0x2d, 0x3b, 0xd8, 0x57, 0xb9, - 0x8b, 0x3c, 0x8c, 0x90, 0x07, 0x43, 0x6c, 0xff, 0xc7, 0xc5, 0xce, 0x8d, 0xc1, 0x96, 0x28, 0x55, - 0x31, 0x8a, 0xf4, 0x7c, 0x95, 0x7e, 0x35, 0xda, 0x84, 0x19, 0x0b, 0xb4, 0x07, 0x55, 0x57, 0xee, - 0xb4, 0x4a, 0x45, 0x78, 0x3b, 0xc5, 0x3e, 0x4b, 0x73, 0x1c, 0xa3, 0xba, 0x40, 0x6d, 0xcf, 0x14, - 0x37, 0x44, 0xa0, 0xbc, 0xe5, 0x25, 0xe2, 0xb3, 0x0e, 0xb8, 0xf1, 0xbe, 0xea, 0x19, 0xaf, 0x38, - 0x42, 0x15, 0xd4, 0x55, 0x2f, 0xc1, 0x94, 0x3e, 0xfa, 0x8c, 0x05, 0xa3, 0xb1, 0xdb, 0x5c, 0x8b, - 0xc2, 0x5d, 0xaf, 0x41, 0x22, 0x61, 0x80, 0x0e, 0x28, 0xf6, 0xea, 0x0b, 0x2b, 0x92, 0xa0, 0xe6, - 0xcb, 0x1d, 0x21, 0x1a, 0x82, 0x4d, 0xbe, 0x74, 0x63, 0xf6, 0xa4, 0x78, 0xf7, 0x45, 0xe2, 0xb2, - 0x15, 0x27, 0x37, 0xd4, 0x6c, 0xa6, 0x0c, 0x6c, 0x90, 0x2f, 0xb6, 0xdd, 0x1d, 0xba, 0xde, 0x74, - 0x87, 0x9e, 0xba, 0xbf, 0x3f, 0xfd, 0xe4, 0x42, 0x3e, 0x4f, 0xdc, 0xab, 0x33, 0x6c, 0xc0, 0x5a, - 0x6d, 0xdf, 0xc7, 0xe4, 0xd5, 0x36, 0x61, 0xbe, 0xb5, 0x02, 0x06, 0x6c, 0x4d, 0x13, 0xcc, 0x0c, - 0x98, 0x01, 0xc1, 0x26, 0x5f, 0xf4, 0x2a, 0x0c, 0x37, 0x9d, 0x24, 0xf2, 0xf6, 0x84, 0x43, 0x6d, - 0xc0, 0x2d, 0xd2, 0x0a, 0xa3, 0xa5, 0x99, 0x33, 0x2b, 0x80, 0x37, 0x62, 0xc1, 0x08, 0x35, 0xa1, - 0xd2, 0x24, 0xd1, 0x16, 0x99, 0xaa, 0x16, 0x71, 0xd2, 0xb0, 0x42, 0x49, 0x69, 0x86, 0x35, 0x6a, - 0x79, 0xb1, 0x36, 0xcc, 0xb9, 0xa0, 0x57, 0xa0, 0x1a, 0x13, 0x9f, 0xb8, 0xd4, 0x76, 0xaa, 0x31, - 0x8e, 0xef, 0xea, 0xd3, 0x8e, 0xa4, 0x46, 0x4b, 0x5d, 0x3c, 0xca, 0x17, 0x98, 0xfc, 0x87, 0x15, - 0x49, 0x3a, 0x80, 0x2d, 0xbf, 0xbd, 0xe5, 0x05, 0x53, 0x50, 0xc4, 0x00, 0xae, 0x31, 0x5a, 0x99, - 0x01, 0xe4, 0x8d, 0x58, 0x30, 0xb2, 0xff, 0xab, 0x05, 0x28, 0x2d, 0xd4, 0x4e, 0xc0, 0x60, 0x7e, - 0x35, 0x6d, 0x30, 0x2f, 0x17, 0x69, 0xd1, 0xf4, 0xb0, 0x99, 0x7f, 0xb1, 0x06, 0x19, 0x75, 0x70, - 0x93, 0xc4, 0x09, 0x69, 0xbc, 0x29, 0xc2, 0xdf, 0x14, 0xe1, 0x6f, 0x8a, 0x70, 0x25, 0xc2, 0x37, - 0x32, 0x22, 0xfc, 0xbd, 0xc6, 0xaa, 0xd7, 0x21, 0x0f, 0x1f, 0x51, 0x31, 0x11, 0x66, 0x0f, 0x0c, - 0x04, 0x2a, 0x09, 0xae, 0xd7, 0x57, 0x6f, 0xe6, 0xca, 0xec, 0x8f, 0xa4, 0x65, 0xf6, 0xa0, 0x2c, - 0xfe, 0x26, 0x48, 0xe9, 0xdf, 0xb0, 0xe0, 0xad, 0x69, 0xe9, 0x25, 0x67, 0xce, 0xd2, 0x56, 0x10, - 0x46, 0x64, 0xd1, 0xdb, 0xdc, 0x24, 0x11, 0x09, 0x5c, 0x12, 0x2b, 0xc7, 0x8f, 0xd5, 0xcb, 0xf1, - 0x83, 0xde, 0x0d, 0x63, 0x77, 0xe3, 0x30, 0x58, 0x0b, 0xbd, 0x40, 0x88, 0x20, 0xba, 0xe3, 0x38, - 0x7d, 0x7f, 0x7f, 0x7a, 0x8c, 0x8e, 0xa8, 0x6c, 0xc7, 0x29, 0x2c, 0xb4, 0x00, 0x93, 0x77, 0x5f, - 0x5d, 0x73, 0x12, 0xc3, 0xd5, 0x20, 0x9d, 0x02, 0xec, 0x64, 0xeb, 0xfa, 0xfb, 0x32, 0x40, 0xdc, - 0x8d, 0x6f, 0xff, 0xdd, 0x12, 0x9c, 0xcf, 0xbc, 0x48, 0xe8, 0xfb, 0x61, 0x3b, 0xa1, 0x7b, 0x22, - 0xf4, 0x13, 0x16, 0x9c, 0x6e, 0xa6, 0xbd, 0x19, 0xb1, 0xf0, 0x85, 0x7f, 0x67, 0x61, 0x3a, 0x22, - 0xe3, 0x2e, 0x99, 0x9f, 0x12, 0x23, 0x74, 0x3a, 0x03, 0x88, 0x71, 0x57, 0x5f, 0xd0, 0x2b, 0x50, - 0x6b, 0x3a, 0x7b, 0xb7, 0x5a, 0x0d, 0x27, 0x91, 0x7b, 0xd5, 0xde, 0x2e, 0x86, 0x76, 0xe2, 0xf9, - 0x33, 0x3c, 0x98, 0x66, 0x66, 0x29, 0x48, 0x56, 0xa3, 0x7a, 0x12, 0x79, 0xc1, 0x16, 0xf7, 0x80, - 0xae, 0x48, 0x32, 0x58, 0x53, 0xb4, 0xbf, 0x64, 0x65, 0x95, 0x94, 0x1a, 0x9d, 0xc8, 0x49, 0xc8, - 0x56, 0x07, 0x7d, 0x0c, 0x2a, 0x74, 0xdf, 0x28, 0x47, 0xe5, 0x4e, 0x91, 0x9a, 0xd3, 0xf8, 0x12, - 0x5a, 0x89, 0xd2, 0x7f, 0x31, 0xe6, 0x4c, 0xed, 0x9f, 0xa8, 0x65, 0x8d, 0x05, 0x16, 0x12, 0x70, - 0x09, 0x60, 0x2b, 0x5c, 0x27, 0xcd, 0x96, 0x4f, 0x87, 0xc5, 0x62, 0xa7, 0x3f, 0xca, 0x8f, 0x72, - 0x55, 0x41, 0xb0, 0x81, 0x85, 0x7e, 0xc0, 0x02, 0xd8, 0x92, 0x73, 0x5e, 0x1a, 0x02, 0xb7, 0x8a, - 0x7c, 0x1d, 0xbd, 0xa2, 0x74, 0x5f, 0x14, 0x43, 0x6c, 0x30, 0x47, 0xdf, 0x6b, 0x41, 0x35, 0x91, - 0xdd, 0xe7, 0xaa, 0x71, 0xbd, 0xc8, 0x9e, 0xc8, 0x97, 0xd6, 0x36, 0x91, 0x1a, 0x12, 0xc5, 0x17, - 0x7d, 0x9f, 0x05, 0x10, 0x77, 0x02, 0x77, 0x2d, 0xf4, 0x3d, 0xb7, 0x23, 0x34, 0xe6, 0xed, 0x42, - 0x7d, 0x3d, 0x8a, 0xfa, 0xfc, 0x04, 0x1d, 0x0d, 0xfd, 0x1f, 0x1b, 0x9c, 0xd1, 0xc7, 0xa1, 0x1a, - 0x8b, 0xe9, 0x26, 0x74, 0xe4, 0x7a, 0xb1, 0x1e, 0x27, 0x4e, 0x5b, 0x88, 0x57, 0xf1, 0x0f, 0x2b, - 0x9e, 0xe8, 0xc7, 0x2c, 0x38, 0xd5, 0x4a, 0xfb, 0x10, 0x85, 0x3a, 0x2c, 0x4e, 0x06, 0x64, 0x7c, - 0x94, 0xdc, 0xdb, 0x92, 0x69, 0xc4, 0xd9, 0x5e, 0x50, 0x09, 0xa8, 0x67, 0xf0, 0x6a, 0x8b, 0xfb, - 0x33, 0x47, 0xb4, 0x04, 0xbc, 0x9a, 0x05, 0xe2, 0x6e, 0x7c, 0xb4, 0x06, 0x67, 0x69, 0xef, 0x3a, - 0xdc, 0xfc, 0x94, 0xea, 0x25, 0x66, 0xca, 0xb0, 0x3a, 0xff, 0xb4, 0x98, 0x21, 0xec, 0x20, 0x24, - 0x8b, 0x83, 0x73, 0x9f, 0x44, 0xbf, 0x63, 0xc1, 0xd3, 0x1e, 0x53, 0x03, 0xa6, 0x37, 0x5f, 0x6b, - 0x04, 0x71, 0x64, 0x4f, 0x0a, 0x95, 0x15, 0xbd, 0xd4, 0xcf, 0xfc, 0xd7, 0x8b, 0x37, 0x78, 0x7a, - 0xe9, 0x80, 0x2e, 0xe1, 0x03, 0x3b, 0x8c, 0xbe, 0x19, 0xc6, 0xe5, 0xba, 0x58, 0xa3, 0x22, 0x98, - 0x29, 0xda, 0xda, 0xfc, 0xe4, 0xfd, 0xfd, 0xe9, 0xf1, 0x75, 0x13, 0x80, 0xd3, 0x78, 0xf6, 0x5f, - 0x0d, 0xa5, 0x8e, 0x90, 0x94, 0x83, 0x93, 0x89, 0x1b, 0x57, 0xfa, 0x7f, 0xa4, 0xf4, 0x2c, 0x54, - 0xdc, 0x28, 0xef, 0x92, 0x16, 0x37, 0xaa, 0x29, 0xc6, 0x06, 0x73, 0x6a, 0x94, 0x4e, 0x3a, 0x59, - 0x37, 0xaa, 0x90, 0x80, 0xaf, 0x14, 0xd9, 0xa5, 0xee, 0x03, 0xbf, 0xf3, 0xa2, 0x6b, 0x93, 0x5d, - 0x20, 0xdc, 0xdd, 0x25, 0xf4, 0xdd, 0x50, 0x8b, 0x54, 0x8c, 0x4c, 0xb9, 0x88, 0xad, 0x9a, 0x9c, - 0x36, 0xa2, 0x3b, 0xea, 0x74, 0x48, 0x47, 0xc3, 0x68, 0x8e, 0xe8, 0xbd, 0x30, 0xa1, 0xfe, 0x2c, - 0xb0, 0x63, 0x21, 0x2a, 0x14, 0xcb, 0xf3, 0x4f, 0x88, 0xa7, 0x26, 0x70, 0x0a, 0x8a, 0x33, 0xd8, - 0x28, 0x82, 0x61, 0x1e, 0xb7, 0x29, 0xc4, 0xd8, 0x80, 0xdb, 0x1d, 0x33, 0xf8, 0x53, 0xfb, 0x08, - 0x79, 0x2b, 0x16, 0x9c, 0xec, 0xcf, 0x96, 0x52, 0x27, 0x7d, 0x86, 0xbc, 0xeb, 0xe3, 0x14, 0xf3, - 0x0b, 0x16, 0x8c, 0x46, 0xa1, 0xef, 0x7b, 0xc1, 0x16, 0x95, 0xcd, 0xc2, 0xc0, 0xf8, 0xe0, 0xb1, - 0xe8, 0x78, 0x21, 0x84, 0xd9, 0x6e, 0x00, 0x6b, 0x9e, 0xd8, 0xec, 0x00, 0x7a, 0x19, 0xc6, 0x1b, - 0xc4, 0x27, 0xf4, 0xd9, 0xd5, 0x88, 0xee, 0xe3, 0xb8, 0xd7, 0x5c, 0xc5, 0xc9, 0x2c, 0x9a, 0x40, - 0x9c, 0xc6, 0xb5, 0xff, 0xd4, 0x82, 0xa9, 0x5e, 0x0a, 0x08, 0x11, 0x78, 0x4a, 0x4a, 0x57, 0xf5, - 0x15, 0x57, 0x03, 0x49, 0x4f, 0xd8, 0x10, 0xcf, 0x09, 0x3e, 0x4f, 0xad, 0xf5, 0x46, 0xc5, 0x07, - 0xd1, 0x41, 0x1f, 0x80, 0xd3, 0xc6, 0xa0, 0xc4, 0x6a, 0x54, 0x6b, 0xf3, 0x33, 0xd4, 0xe2, 0x9b, - 0xcb, 0xc0, 0x1e, 0xec, 0x4f, 0x3f, 0x91, 0x6d, 0x13, 0x1a, 0xb2, 0x8b, 0x8e, 0xfd, 0xd3, 0x5d, - 0x9f, 0x5a, 0x19, 0x37, 0x6f, 0x58, 0x5d, 0xee, 0x93, 0xef, 0x3c, 0x0e, 0x83, 0x82, 0x39, 0x5a, - 0x54, 0x50, 0x4a, 0x6f, 0x9c, 0x47, 0x18, 0xc4, 0x60, 0xff, 0xf6, 0x10, 0x1c, 0xd0, 0xb3, 0x3e, - 0x76, 0x2b, 0x47, 0x3e, 0x55, 0xfe, 0xbc, 0xa5, 0x8e, 0x0f, 0xb9, 0xd0, 0x6a, 0x1c, 0xd7, 0xd8, - 0xf3, 0x0d, 0x63, 0xcc, 0x03, 0x69, 0x94, 0x48, 0x48, 0x1f, 0x54, 0xa2, 0x2f, 0x5b, 0xe9, 0x03, - 0x50, 0x1e, 0x3c, 0xea, 0x1d, 0x5b, 0x9f, 0x8c, 0x53, 0x55, 0xde, 0x31, 0x7d, 0x16, 0xd7, 0xeb, - 0xbc, 0x75, 0x06, 0x60, 0xd3, 0x0b, 0x1c, 0xdf, 0x7b, 0x8d, 0x6e, 0x07, 0x2b, 0xcc, 0xa2, 0x61, - 0x26, 0xe2, 0x15, 0xd5, 0x8a, 0x0d, 0x8c, 0x0b, 0xff, 0x3f, 0x8c, 0x1a, 0x6f, 0x9e, 0x13, 0xff, - 0x73, 0xd6, 0x8c, 0xff, 0xa9, 0x19, 0x61, 0x3b, 0x17, 0xde, 0x0b, 0xa7, 0xb3, 0x1d, 0x3c, 0xca, - 0xf3, 0xf6, 0xff, 0x1e, 0xc9, 0x9e, 0x48, 0xae, 0x93, 0xa8, 0x49, 0xbb, 0xf6, 0xa6, 0x27, 0xef, - 0x4d, 0x4f, 0xde, 0x9b, 0x9e, 0x3c, 0xf3, 0x30, 0x46, 0x78, 0xa9, 0x46, 0x4e, 0xc8, 0x4b, 0x95, - 0xf2, 0xbb, 0x55, 0x0b, 0xf7, 0xbb, 0xd9, 0x9f, 0xe9, 0x3a, 0xaa, 0x58, 0x8f, 0x08, 0x41, 0x21, - 0x54, 0x82, 0xb0, 0x41, 0xa4, 0x51, 0x7f, 0xbd, 0x18, 0x0b, 0xf5, 0x66, 0xd8, 0x30, 0xc2, 0xf2, - 0xe9, 0xbf, 0x18, 0x73, 0x3e, 0xf6, 0xa7, 0x87, 0x21, 0x65, 0x3f, 0xf3, 0xef, 0xfe, 0x8d, 0x30, - 0x12, 0x91, 0x56, 0x78, 0x0b, 0x2f, 0x0b, 0x5d, 0xa6, 0xb3, 0x9a, 0x78, 0x33, 0x96, 0x70, 0xaa, - 0xf3, 0x5a, 0x4e, 0xb2, 0x2d, 0x94, 0x99, 0xd2, 0x79, 0x6b, 0x4e, 0xb2, 0x8d, 0x19, 0x84, 0x9a, - 0xbe, 0x49, 0xea, 0xec, 0x5f, 0x9c, 0x71, 0x2b, 0xd3, 0x37, 0x1d, 0x19, 0x80, 0x33, 0xd8, 0xe8, - 0x55, 0x18, 0xda, 0x26, 0x7e, 0x53, 0x7c, 0xfa, 0x7a, 0x71, 0xba, 0x86, 0xbd, 0xeb, 0x35, 0xe2, - 0x37, 0xb9, 0x24, 0xa4, 0xbf, 0x30, 0x63, 0x45, 0xe7, 0x7d, 0x6d, 0xa7, 0x1d, 0x27, 0x61, 0xd3, - 0x7b, 0x4d, 0xba, 0x76, 0xbf, 0xb3, 0x60, 0xc6, 0x37, 0x24, 0x7d, 0xee, 0x43, 0x53, 0x7f, 0xb1, - 0xe6, 0xcc, 0xfa, 0xd1, 0xf0, 0x22, 0x36, 0x65, 0x3a, 0xc2, 0x43, 0x5b, 0x74, 0x3f, 0x16, 0x25, - 0x7d, 0xde, 0x0f, 0xf5, 0x17, 0x6b, 0xce, 0xa8, 0xa3, 0xd6, 0xdf, 0x28, 0xeb, 0xc3, 0xad, 0x82, - 0xfb, 0xc0, 0xd7, 0x5e, 0xee, 0x3a, 0x7c, 0x0e, 0x2a, 0xee, 0xb6, 0x13, 0x25, 0x53, 0x63, 0x6c, - 0xd2, 0xa8, 0x59, 0xbc, 0x40, 0x1b, 0x31, 0x87, 0xa1, 0x67, 0xa0, 0x1c, 0x91, 0x4d, 0x16, 0xab, - 0x6d, 0x44, 0x89, 0x61, 0xb2, 0x89, 0x69, 0xbb, 0xb2, 0xcb, 0x26, 0x7a, 0x86, 0x0f, 0xfe, 0x64, - 0x29, 0x6d, 0xd8, 0xa5, 0x47, 0x86, 0xaf, 0x07, 0xb7, 0x1d, 0xc5, 0xd2, 0x23, 0x68, 0xac, 0x07, - 0xd6, 0x8c, 0x25, 0x1c, 0x7d, 0xd2, 0x82, 0x91, 0xbb, 0x71, 0x18, 0x04, 0x24, 0x11, 0x4a, 0xf4, - 0x76, 0xc1, 0x83, 0x75, 0x9d, 0x53, 0xd7, 0x7d, 0x10, 0x0d, 0x58, 0xf2, 0xa5, 0xdd, 0x25, 0x7b, - 0xae, 0xdf, 0x6e, 0x74, 0x85, 0x06, 0x5d, 0xe6, 0xcd, 0x58, 0xc2, 0x29, 0xaa, 0x17, 0x70, 0xd4, - 0xa1, 0x34, 0xea, 0x52, 0x20, 0x50, 0x05, 0xdc, 0xfe, 0xf9, 0x2a, 0x9c, 0xcb, 0x5d, 0x3e, 0xd4, - 0xe4, 0x62, 0x46, 0xcd, 0x15, 0xcf, 0x27, 0x32, 0x28, 0x8e, 0x99, 0x5c, 0xb7, 0x55, 0x2b, 0x36, - 0x30, 0xd0, 0xf7, 0x00, 0xb4, 0x9c, 0xc8, 0x69, 0x12, 0xe5, 0xb1, 0x1f, 0xd8, 0xb2, 0xa1, 0xfd, - 0x58, 0x93, 0x34, 0xb5, 0xd7, 0x42, 0x35, 0xc5, 0xd8, 0x60, 0x89, 0x5e, 0x84, 0xd1, 0x88, 0xf8, - 0xc4, 0x89, 0x59, 0x32, 0x40, 0x36, 0x67, 0x0a, 0x6b, 0x10, 0x36, 0xf1, 0xd0, 0xf3, 0x2a, 0x7e, - 0x70, 0x28, 0x1d, 0x5c, 0x93, 0x8e, 0x21, 0x44, 0x5f, 0xb4, 0x60, 0x62, 0xd3, 0xf3, 0x89, 0xe6, - 0x2e, 0x32, 0x9c, 0x56, 0x07, 0x7f, 0xc9, 0x2b, 0x26, 0x5d, 0x2d, 0x43, 0x53, 0xcd, 0x31, 0xce, - 0xb0, 0xa7, 0x9f, 0x79, 0x97, 0x44, 0x4c, 0xf8, 0x0e, 0xa7, 0x3f, 0xf3, 0x6d, 0xde, 0x8c, 0x25, - 0x1c, 0xcd, 0xc1, 0xa9, 0x96, 0x13, 0xc7, 0x0b, 0x11, 0x69, 0x90, 0x20, 0xf1, 0x1c, 0x9f, 0xa7, - 0x14, 0x55, 0x75, 0x70, 0xfd, 0x5a, 0x1a, 0x8c, 0xb3, 0xf8, 0xe8, 0xfd, 0xf0, 0x24, 0x77, 0x89, - 0xad, 0x78, 0x71, 0xec, 0x05, 0x5b, 0x7a, 0x1a, 0x08, 0xcf, 0xe0, 0xb4, 0x20, 0xf5, 0xe4, 0x52, - 0x3e, 0x1a, 0xee, 0xf5, 0x3c, 0x7a, 0x01, 0xaa, 0xf1, 0x8e, 0xd7, 0x5a, 0x88, 0x1a, 0x31, 0x3b, - 0x0e, 0xab, 0x6a, 0x3f, 0x74, 0x5d, 0xb4, 0x63, 0x85, 0x81, 0x5c, 0x18, 0xe3, 0x9f, 0x84, 0x07, - 0x40, 0x0a, 0x09, 0xfa, 0x8e, 0x9e, 0x8a, 0x5c, 0xa4, 0x1a, 0xcf, 0x60, 0xe7, 0xde, 0x65, 0x79, - 0x38, 0xc7, 0xcf, 0x92, 0x6e, 0x1b, 0x64, 0x70, 0x8a, 0x68, 0x7a, 0x4f, 0x37, 0xda, 0xc7, 0x9e, - 0xee, 0x45, 0x18, 0xdd, 0x69, 0x6f, 0x10, 0x31, 0xf2, 0x42, 0xb0, 0xa9, 0xd9, 0x77, 0x43, 0x83, - 0xb0, 0x89, 0xc7, 0x62, 0x4f, 0x5b, 0x9e, 0xf8, 0x17, 0x4f, 0x8d, 0x1b, 0xb1, 0xa7, 0x6b, 0x4b, - 0xb2, 0x19, 0x9b, 0x38, 0xb4, 0x6b, 0x74, 0x2c, 0xd6, 0x49, 0xcc, 0x52, 0x4b, 0xe8, 0x70, 0xa9, - 0xae, 0xd5, 0x25, 0x00, 0x6b, 0x1c, 0xb4, 0x06, 0x67, 0xe9, 0x9f, 0x3a, 0x4b, 0xb5, 0xbe, 0xed, - 0xf8, 0x5e, 0x83, 0x07, 0x42, 0x9e, 0x4a, 0x3b, 0x74, 0xeb, 0x39, 0x38, 0x38, 0xf7, 0x49, 0xfb, - 0xc7, 0x4b, 0x69, 0xcf, 0x89, 0x29, 0xc2, 0x50, 0x4c, 0x05, 0x55, 0x72, 0xdb, 0x89, 0xa4, 0xc1, - 0x33, 0x60, 0x5e, 0x98, 0xa0, 0x7b, 0xdb, 0x89, 0x4c, 0x91, 0xc7, 0x18, 0x60, 0xc9, 0x09, 0xdd, - 0x85, 0xa1, 0xc4, 0x77, 0x0a, 0xca, 0x3a, 0x35, 0x38, 0x6a, 0x2f, 0xd8, 0xf2, 0x5c, 0x8c, 0x19, - 0x0f, 0xf4, 0x34, 0xdd, 0xbd, 0x6d, 0xc8, 0xa3, 0x45, 0xb1, 0xe1, 0xda, 0x88, 0x31, 0x6b, 0xb5, - 0xff, 0xf6, 0x78, 0x8e, 0xd6, 0x51, 0x86, 0x00, 0xba, 0x04, 0x40, 0x27, 0xcd, 0x5a, 0x44, 0x36, - 0xbd, 0x3d, 0x61, 0x88, 0x29, 0xc9, 0x76, 0x53, 0x41, 0xb0, 0x81, 0x25, 0x9f, 0xa9, 0xb7, 0x37, - 0xe9, 0x33, 0xa5, 0xee, 0x67, 0x38, 0x04, 0x1b, 0x58, 0xe8, 0xdd, 0x30, 0xec, 0x35, 0x9d, 0x2d, - 0x15, 0x16, 0xfd, 0x34, 0x15, 0x69, 0x4b, 0xac, 0xe5, 0xc1, 0xfe, 0xf4, 0x84, 0xea, 0x10, 0x6b, - 0xc2, 0x02, 0x17, 0xfd, 0xb4, 0x05, 0x63, 0x6e, 0xd8, 0x6c, 0x86, 0x01, 0xdf, 0x3e, 0x0b, 0x5f, - 0xc0, 0xdd, 0xe3, 0x32, 0x93, 0x66, 0x16, 0x0c, 0x66, 0xdc, 0x19, 0xa0, 0xd2, 0x63, 0x4d, 0x10, - 0x4e, 0xf5, 0xca, 0x94, 0x7c, 0x95, 0x43, 0x24, 0xdf, 0x2f, 0x58, 0x30, 0xc9, 0x9f, 0x35, 0x76, - 0xf5, 0x22, 0xb9, 0x33, 0x3c, 0xe6, 0xd7, 0xea, 0x72, 0x74, 0x28, 0xef, 0x76, 0x17, 0x1c, 0x77, - 0x77, 0x12, 0x5d, 0x85, 0xc9, 0xcd, 0x30, 0x72, 0x89, 0x39, 0x10, 0x42, 0x6c, 0x2b, 0x42, 0x57, - 0xb2, 0x08, 0xb8, 0xfb, 0x19, 0x74, 0x1b, 0x9e, 0x30, 0x1a, 0xcd, 0x71, 0xe0, 0x92, 0xfb, 0x59, - 0x41, 0xed, 0x89, 0x2b, 0xb9, 0x58, 0xb8, 0xc7, 0xd3, 0x69, 0x21, 0x59, 0xeb, 0x43, 0x48, 0x7e, - 0x04, 0xce, 0xbb, 0xdd, 0x23, 0xb3, 0x1b, 0xb7, 0x37, 0x62, 0x2e, 0xc7, 0xab, 0xf3, 0x5f, 0x27, - 0x08, 0x9c, 0x5f, 0xe8, 0x85, 0x88, 0x7b, 0xd3, 0x40, 0x1f, 0x83, 0x6a, 0x44, 0xd8, 0x57, 0x89, - 0x45, 0xa6, 0xe3, 0x80, 0xde, 0x0e, 0x6d, 0xc1, 0x73, 0xb2, 0x5a, 0x33, 0x89, 0x86, 0x18, 0x2b, - 0x8e, 0xe8, 0x1e, 0x8c, 0xb4, 0x9c, 0xc4, 0xdd, 0x16, 0x29, 0x8b, 0x03, 0x1f, 0x46, 0x28, 0xe6, - 0xec, 0xec, 0xc8, 0x28, 0x2d, 0xc1, 0x99, 0x60, 0xc9, 0x8d, 0xda, 0x6a, 0x6e, 0xd8, 0x6c, 0x85, - 0x01, 0x09, 0x12, 0xa9, 0x44, 0x26, 0xf8, 0x01, 0x8f, 0x6c, 0xc5, 0x06, 0x46, 0x97, 0x2e, 0xd7, - 0x68, 0x53, 0x93, 0x07, 0xe8, 0x72, 0x83, 0x5a, 0xaf, 0xe7, 0xa9, 0xb2, 0x61, 0x6e, 0xc5, 0x3b, - 0x5e, 0xb2, 0x1d, 0xb6, 0x13, 0xb9, 0x4b, 0x16, 0x8a, 0x4a, 0x29, 0x9b, 0xe5, 0x1c, 0x1c, 0x9c, - 0xfb, 0x64, 0x56, 0xb3, 0x9e, 0x7a, 0x38, 0xcd, 0x7a, 0xba, 0x0f, 0xcd, 0x5a, 0x87, 0x73, 0xac, - 0x07, 0xc2, 0x4a, 0x96, 0x4e, 0xcb, 0x78, 0x0a, 0xb1, 0xce, 0xab, 0x6c, 0x9f, 0xe5, 0x3c, 0x24, - 0x9c, 0xff, 0xec, 0x85, 0x6f, 0x87, 0xc9, 0x2e, 0x21, 0x77, 0x24, 0x87, 0xe4, 0x22, 0x3c, 0x91, - 0x2f, 0x4e, 0x8e, 0xe4, 0x96, 0xfc, 0xf9, 0x4c, 0x20, 0xbe, 0xb1, 0x45, 0xeb, 0xc3, 0xc5, 0xed, - 0x40, 0x99, 0x04, 0xbb, 0x42, 0xbb, 0x5e, 0x19, 0x6c, 0x56, 0x5f, 0x0e, 0x76, 0xb9, 0x34, 0x64, - 0x7e, 0xbc, 0xcb, 0xc1, 0x2e, 0xa6, 0xb4, 0xd1, 0x0f, 0x5b, 0xa9, 0x0d, 0x04, 0x77, 0x8c, 0x7f, - 0xf8, 0x58, 0xf6, 0xa4, 0x7d, 0xef, 0x29, 0xec, 0x7f, 0x53, 0x82, 0x8b, 0x87, 0x11, 0xe9, 0x63, - 0xf8, 0x9e, 0x83, 0xe1, 0x98, 0x85, 0xd6, 0x08, 0x75, 0x35, 0x4a, 0x57, 0x31, 0x0f, 0xb6, 0xf9, - 0x08, 0x16, 0x20, 0xe4, 0x43, 0xb9, 0xe9, 0xb4, 0x84, 0xbf, 0x74, 0x69, 0xd0, 0x6c, 0x46, 0xfa, - 0xdf, 0xf1, 0x57, 0x9c, 0x16, 0x9f, 0xf3, 0x46, 0x03, 0xa6, 0x6c, 0x50, 0x02, 0x15, 0x27, 0x8a, - 0x1c, 0x19, 0xc7, 0x71, 0xa3, 0x18, 0x7e, 0x73, 0x94, 0x24, 0x3f, 0x06, 0x4f, 0x35, 0x61, 0xce, - 0xcc, 0xfe, 0xb1, 0x6a, 0x2a, 0xf5, 0x8d, 0x05, 0xe7, 0xc4, 0x30, 0x2c, 0xdc, 0xa4, 0x56, 0xd1, - 0x49, 0xa4, 0x3c, 0xb7, 0x9c, 0x79, 0x20, 0x44, 0xed, 0x0f, 0xc1, 0x0a, 0x7d, 0xce, 0x62, 0x15, - 0x36, 0x64, 0x3e, 0xa1, 0xd8, 0xd5, 0x1f, 0x4f, 0xc1, 0x0f, 0xb3, 0x6e, 0x87, 0x6c, 0xc4, 0x26, - 0x77, 0x51, 0x45, 0x88, 0xed, 0x66, 0xba, 0xab, 0x08, 0xb1, 0xdd, 0x89, 0x84, 0xa3, 0xbd, 0x9c, - 0x20, 0x9c, 0x02, 0x0a, 0x2f, 0xf4, 0x11, 0x76, 0xf3, 0x65, 0x0b, 0x26, 0xbd, 0x6c, 0x34, 0x85, - 0xd8, 0x03, 0xdf, 0x29, 0xc6, 0xa7, 0xd9, 0x1d, 0xac, 0xa1, 0x0c, 0x9d, 0x2e, 0x10, 0xee, 0xee, - 0x0c, 0x6a, 0xc0, 0x90, 0x17, 0x6c, 0x86, 0xc2, 0xbc, 0x9b, 0x1f, 0xac, 0x53, 0x4b, 0xc1, 0x66, - 0xa8, 0x57, 0x33, 0xfd, 0x87, 0x19, 0x75, 0xb4, 0x0c, 0x67, 0x65, 0x82, 0xd3, 0x35, 0x2f, 0x4e, - 0xc2, 0xa8, 0xb3, 0xec, 0x35, 0xbd, 0x84, 0x99, 0x66, 0xe5, 0xf9, 0x29, 0xaa, 0xde, 0x70, 0x0e, - 0x1c, 0xe7, 0x3e, 0x85, 0x5e, 0x83, 0x11, 0x19, 0xc1, 0x50, 0x2d, 0xc2, 0x9f, 0xd0, 0x3d, 0xff, - 0xd5, 0x64, 0xaa, 0x8b, 0x10, 0x06, 0xc9, 0x10, 0x7d, 0xd6, 0x82, 0x09, 0xfe, 0xfb, 0x5a, 0xa7, - 0xc1, 0x13, 0x2e, 0x6b, 0x45, 0xa4, 0x29, 0xd4, 0x53, 0x34, 0xe7, 0xd1, 0xfd, 0xfd, 0xe9, 0x89, - 0x74, 0x1b, 0xce, 0xf0, 0xb5, 0xff, 0xf1, 0x18, 0x74, 0xc7, 0x7c, 0xa4, 0x03, 0x3c, 0xac, 0x13, - 0x0f, 0xf0, 0xb8, 0x0b, 0x43, 0xb1, 0x8e, 0x73, 0x28, 0x60, 0x99, 0x09, 0xae, 0xfa, 0x18, 0xba, - 0x13, 0xb8, 0x98, 0xf1, 0x40, 0x6d, 0x15, 0x0c, 0x52, 0x2e, 0xe8, 0xe4, 0xbb, 0x9f, 0x78, 0x10, - 0xb4, 0x07, 0x23, 0xdb, 0x7c, 0x3a, 0x8a, 0xbd, 0xde, 0xca, 0xa0, 0xe3, 0x9b, 0x9a, 0xe3, 0x7a, - 0xf2, 0x89, 0x06, 0x2c, 0xd9, 0xb1, 0x78, 0x42, 0x23, 0xe2, 0x89, 0x0b, 0x92, 0xe2, 0x72, 0x47, - 0xfb, 0x0f, 0x77, 0xfa, 0x28, 0x8c, 0x45, 0xc4, 0x0d, 0x03, 0xd7, 0xf3, 0x49, 0x63, 0x4e, 0x1e, - 0x88, 0x1d, 0x25, 0x2b, 0x90, 0x79, 0x93, 0xb0, 0x41, 0x03, 0xa7, 0x28, 0xb2, 0x75, 0xa6, 0xca, - 0x08, 0xd0, 0x0f, 0x42, 0xc4, 0xc1, 0xc7, 0x72, 0x41, 0x45, 0x0b, 0x18, 0x4d, 0xbe, 0xce, 0xd2, - 0x6d, 0x38, 0xc3, 0x17, 0x7d, 0x00, 0x20, 0xdc, 0xe0, 0x41, 0x83, 0x73, 0x89, 0x38, 0x05, 0x39, - 0xca, 0xab, 0x4e, 0xf0, 0xd4, 0x63, 0x49, 0x01, 0x1b, 0xd4, 0xd0, 0x0d, 0x00, 0xbe, 0x72, 0xd6, - 0x3b, 0x2d, 0xb9, 0x21, 0x94, 0x69, 0x9d, 0x50, 0x57, 0x90, 0x07, 0xfb, 0xd3, 0xdd, 0x3e, 0x67, - 0x16, 0x65, 0x64, 0x3c, 0x8e, 0xbe, 0x0b, 0x46, 0xe2, 0x76, 0xb3, 0xe9, 0xa8, 0x33, 0x92, 0x02, - 0x93, 0x99, 0x39, 0x5d, 0x43, 0x30, 0xf2, 0x06, 0x2c, 0x39, 0xa2, 0xbb, 0x54, 0xc4, 0x0b, 0x09, - 0xc5, 0x57, 0x11, 0xb7, 0x50, 0xb8, 0x27, 0xf0, 0x3d, 0x72, 0x17, 0x83, 0x73, 0x70, 0x1e, 0xec, - 0x4f, 0x3f, 0x91, 0x6e, 0x5f, 0x0e, 0x45, 0x7a, 0x71, 0x2e, 0x4d, 0x74, 0x5d, 0xd6, 0x2b, 0xa3, - 0xaf, 0x2d, 0x8b, 0xdd, 0xbc, 0x4d, 0xd7, 0x2b, 0x63, 0xcd, 0xbd, 0xc7, 0xcc, 0x7c, 0x18, 0xad, - 0xc0, 0x19, 0x37, 0x0c, 0x92, 0x28, 0xf4, 0x7d, 0x5e, 0xcb, 0x90, 0xef, 0xcd, 0xf9, 0x19, 0xca, - 0x53, 0xa2, 0xdb, 0x67, 0x16, 0xba, 0x51, 0x70, 0xde, 0x73, 0xd4, 0x26, 0xcf, 0xea, 0x87, 0x89, - 0x42, 0x8e, 0xd7, 0x53, 0x34, 0x85, 0x84, 0x52, 0x6e, 0xef, 0x43, 0x34, 0x45, 0x90, 0x3e, 0x64, - 0x15, 0x5f, 0xec, 0xdd, 0x30, 0x46, 0xf6, 0x12, 0x12, 0x05, 0x8e, 0x7f, 0x0b, 0x2f, 0xcb, 0x03, - 0x0b, 0xb6, 0x30, 0x2f, 0x1b, 0xed, 0x38, 0x85, 0x85, 0x6c, 0xe5, 0x25, 0x33, 0xf2, 0xf8, 0xb9, - 0x97, 0x4c, 0xfa, 0xc4, 0xec, 0x9f, 0x2b, 0xa7, 0x6c, 0xd6, 0x47, 0x72, 0xa4, 0xcb, 0xaa, 0x4b, - 0xc9, 0x32, 0x5c, 0x0c, 0x20, 0xf6, 0x62, 0x45, 0x72, 0x56, 0x51, 0x73, 0xab, 0x26, 0x23, 0x9c, - 0xe6, 0x8b, 0x76, 0xa0, 0xb2, 0x1d, 0xc6, 0x89, 0xdc, 0xa1, 0x0d, 0xb8, 0x19, 0xbc, 0x16, 0xc6, - 0x09, 0x33, 0xb4, 0xd4, 0x6b, 0xd3, 0x96, 0x18, 0x73, 0x1e, 0x74, 0xef, 0x1f, 0x6f, 0x3b, 0x51, - 0x23, 0x15, 0x5e, 0xa9, 0xec, 0xe9, 0xba, 0x06, 0x61, 0x13, 0xcf, 0xfe, 0x33, 0x2b, 0x75, 0xaa, - 0x75, 0x87, 0x65, 0x49, 0xec, 0x92, 0x80, 0x8a, 0x28, 0x33, 0xc6, 0xf1, 0x9b, 0x33, 0x39, 0xe7, - 0x6f, 0xed, 0x55, 0x76, 0xf4, 0x1e, 0xa5, 0x30, 0xc3, 0x48, 0x18, 0xe1, 0x90, 0x9f, 0xb0, 0xd2, - 0x95, 0x05, 0x4a, 0x45, 0x6c, 0xdd, 0xcc, 0xea, 0x1a, 0x87, 0x16, 0x29, 0xb0, 0x7f, 0xd8, 0x82, - 0x91, 0x79, 0xc7, 0xdd, 0x09, 0x37, 0x37, 0xd1, 0x0b, 0x50, 0x6d, 0xb4, 0x23, 0xb3, 0xc8, 0x81, - 0x72, 0x56, 0x2d, 0x8a, 0x76, 0xac, 0x30, 0xe8, 0xd4, 0xdf, 0x74, 0x5c, 0x59, 0x63, 0xa3, 0xcc, - 0xa7, 0xfe, 0x15, 0xd6, 0x82, 0x05, 0x84, 0x0e, 0x7f, 0xd3, 0xd9, 0x93, 0x0f, 0x67, 0x8f, 0xd4, - 0x56, 0x34, 0x08, 0x9b, 0x78, 0xf6, 0xaf, 0x5b, 0x30, 0x35, 0xef, 0xc4, 0x9e, 0x3b, 0xd7, 0x4e, - 0xb6, 0xe7, 0xbd, 0x64, 0xa3, 0xed, 0xee, 0x90, 0x84, 0xd7, 0x62, 0xa1, 0xbd, 0x6c, 0xc7, 0x74, - 0x05, 0xaa, 0x1d, 0xb3, 0xea, 0xe5, 0x2d, 0xd1, 0x8e, 0x15, 0x06, 0x7a, 0x0d, 0x46, 0x5b, 0x4e, - 0x1c, 0xdf, 0x0b, 0xa3, 0x06, 0x26, 0x9b, 0xc5, 0x54, 0x6b, 0xaa, 0x13, 0x37, 0x22, 0x09, 0x26, - 0x9b, 0x22, 0x40, 0x45, 0xd3, 0xc7, 0x26, 0x33, 0xfb, 0x07, 0x2c, 0x38, 0x3b, 0x4f, 0x9c, 0x88, - 0x44, 0xac, 0xb8, 0x93, 0x7a, 0x11, 0xf4, 0x2a, 0x54, 0x13, 0xda, 0x42, 0x7b, 0x64, 0x15, 0xdb, - 0x23, 0x16, 0x5a, 0xb2, 0x2e, 0x88, 0x63, 0xc5, 0xc6, 0xfe, 0x82, 0x05, 0xe7, 0xf3, 0xfa, 0xb2, - 0xe0, 0x87, 0xed, 0xc6, 0xa3, 0xe8, 0xd0, 0xdf, 0xb1, 0x60, 0x8c, 0x1d, 0xd7, 0x2f, 0x92, 0xc4, - 0xf1, 0xfc, 0xae, 0x92, 0x95, 0x56, 0x9f, 0x25, 0x2b, 0x2f, 0xc2, 0xd0, 0x76, 0xd8, 0x24, 0xd9, - 0x50, 0x93, 0x6b, 0x61, 0x93, 0x60, 0x06, 0x41, 0xef, 0xa4, 0x93, 0xd0, 0x0b, 0x12, 0x87, 0x2e, - 0x47, 0x79, 0x9c, 0x71, 0x8a, 0x4f, 0x40, 0xd5, 0x8c, 0x4d, 0x1c, 0xfb, 0x5f, 0xd5, 0x60, 0x44, - 0xc4, 0x45, 0xf5, 0x5d, 0x1b, 0x48, 0x7a, 0x71, 0x4a, 0x3d, 0xbd, 0x38, 0x31, 0x0c, 0xbb, 0xac, - 0xae, 0xb0, 0xb0, 0xd0, 0x6f, 0x14, 0x12, 0x48, 0xc7, 0x4b, 0x15, 0xeb, 0x6e, 0xf1, 0xff, 0x58, - 0xb0, 0x42, 0xaf, 0x5b, 0x70, 0xca, 0x0d, 0x83, 0x80, 0xb8, 0xda, 0x76, 0x1c, 0x2a, 0x62, 0x83, - 0xb0, 0x90, 0x26, 0xaa, 0x4f, 0x82, 0x33, 0x00, 0x9c, 0x65, 0x8f, 0x5e, 0x86, 0x71, 0x3e, 0x66, - 0xb7, 0x53, 0x67, 0x30, 0xba, 0x38, 0xa1, 0x09, 0xc4, 0x69, 0x5c, 0x34, 0xc3, 0xcf, 0xb2, 0x44, - 0x65, 0xbf, 0x61, 0xed, 0xaa, 0x36, 0x6a, 0xfa, 0x19, 0x18, 0x28, 0x02, 0x14, 0x91, 0xcd, 0x88, - 0xc4, 0xdb, 0x22, 0x6e, 0x8c, 0xd9, 0xad, 0x23, 0x0f, 0x57, 0xb8, 0x03, 0x77, 0x51, 0xc2, 0x39, - 0xd4, 0xd1, 0x8e, 0x70, 0x23, 0x54, 0x8b, 0x90, 0xe7, 0xe2, 0x33, 0xf7, 0xf4, 0x26, 0x4c, 0x43, - 0x85, 0xa9, 0x2e, 0x66, 0x2f, 0x97, 0x79, 0xb2, 0x28, 0x53, 0x6c, 0x98, 0xb7, 0xa3, 0x45, 0x38, - 0x9d, 0xa9, 0x96, 0x18, 0x8b, 0xb3, 0x12, 0x95, 0x18, 0x98, 0xa9, 0xb3, 0x18, 0xe3, 0xae, 0x27, - 0x4c, 0x17, 0xd3, 0xe8, 0x21, 0x2e, 0xa6, 0x8e, 0x8a, 0x4e, 0xe6, 0xa7, 0x18, 0xef, 0x2b, 0x64, - 0x00, 0xfa, 0x0a, 0x45, 0xfe, 0xa1, 0x4c, 0x28, 0xf2, 0x38, 0xeb, 0xc0, 0xed, 0x62, 0x3a, 0x70, - 0xf4, 0xb8, 0xe3, 0x47, 0x19, 0x47, 0xfc, 0xbf, 0x2c, 0x90, 0xdf, 0x75, 0xc1, 0x71, 0xb7, 0x09, - 0x9d, 0x32, 0x39, 0x19, 0x27, 0xd6, 0x91, 0x32, 0x4e, 0x66, 0xa1, 0x46, 0xc7, 0x89, 0x3f, 0xca, - 0xf5, 0xbe, 0xf2, 0x80, 0xcc, 0xad, 0x2d, 0x89, 0xa7, 0x34, 0x0e, 0x0a, 0x61, 0xd2, 0x77, 0xe2, - 0x84, 0xf5, 0xa0, 0xde, 0x09, 0xdc, 0x87, 0x2c, 0x9b, 0xc3, 0xb2, 0xcf, 0x96, 0xb3, 0x84, 0x70, - 0x37, 0x6d, 0xfb, 0xdf, 0x55, 0x60, 0x3c, 0x25, 0x19, 0x8f, 0x68, 0x30, 0xbc, 0x00, 0x55, 0xa9, - 0xc3, 0xb3, 0xc5, 0xc3, 0x94, 0xa2, 0x57, 0x18, 0x54, 0x69, 0x6d, 0x68, 0xad, 0x9a, 0x35, 0x70, - 0x0c, 0x85, 0x8b, 0x4d, 0x3c, 0x26, 0x94, 0x13, 0x3f, 0x5e, 0xf0, 0x3d, 0x12, 0x24, 0xbc, 0x9b, - 0xc5, 0x08, 0xe5, 0xf5, 0xe5, 0xba, 0x49, 0x54, 0x0b, 0xe5, 0x0c, 0x00, 0x67, 0xd9, 0xa3, 0x4f, - 0x5b, 0x30, 0xee, 0xdc, 0x8b, 0x75, 0xf1, 0x7b, 0x11, 0x74, 0x3c, 0xa0, 0x92, 0x4a, 0xd5, 0xd3, - 0xe7, 0x8e, 0xfd, 0x54, 0x13, 0x4e, 0x33, 0x45, 0x6f, 0x58, 0x80, 0xc8, 0x1e, 0x71, 0x65, 0x58, - 0xb4, 0xe8, 0xcb, 0x70, 0x11, 0x3b, 0xf8, 0xcb, 0x5d, 0x74, 0xb9, 0x54, 0xef, 0x6e, 0xc7, 0x39, - 0x7d, 0x40, 0xd7, 0x01, 0x35, 0xbc, 0xd8, 0xd9, 0xf0, 0xc9, 0x42, 0xd8, 0x94, 0x19, 0xd3, 0xe2, - 0x3c, 0xfd, 0x82, 0x18, 0x67, 0xb4, 0xd8, 0x85, 0x81, 0x73, 0x9e, 0x62, 0xb3, 0x2c, 0x0a, 0xf7, - 0x3a, 0xb7, 0x22, 0x9f, 0x69, 0x09, 0x73, 0x96, 0x89, 0x76, 0xac, 0x30, 0xec, 0x3f, 0x2f, 0xab, - 0xa5, 0xac, 0x73, 0x00, 0x1c, 0x23, 0x16, 0xd9, 0x7a, 0xf8, 0x58, 0x64, 0x1d, 0x29, 0xd5, 0x5d, - 0x07, 0x20, 0x95, 0x36, 0x5c, 0x7a, 0x44, 0x69, 0xc3, 0xdf, 0x6b, 0xa5, 0x0a, 0xf4, 0x8d, 0x5e, - 0xfa, 0x40, 0xb1, 0xf9, 0x07, 0x33, 0x3c, 0x8a, 0x2b, 0xa3, 0x57, 0x32, 0xc1, 0x7b, 0x2f, 0x40, - 0x75, 0xd3, 0x77, 0x58, 0xe5, 0x18, 0xb6, 0x50, 0x8d, 0x08, 0xb3, 0x2b, 0xa2, 0x1d, 0x2b, 0x0c, - 0x2a, 0xf5, 0x0d, 0xa2, 0x47, 0x92, 0xda, 0xff, 0xb1, 0x0c, 0xa3, 0x86, 0xc6, 0xcf, 0x35, 0xdf, - 0xac, 0xc7, 0xcc, 0x7c, 0x2b, 0x1d, 0xc1, 0x7c, 0xfb, 0x1e, 0xa8, 0xb9, 0x52, 0x1b, 0x15, 0x73, - 0x95, 0x41, 0x56, 0xc7, 0x69, 0x85, 0xa4, 0x9a, 0xb0, 0xe6, 0x89, 0xae, 0xa6, 0x52, 0x53, 0x53, - 0x7e, 0x81, 0xbc, 0xdc, 0x51, 0xa1, 0xd1, 0xba, 0x9f, 0xc9, 0xc6, 0x07, 0x54, 0x0e, 0x8f, 0x0f, - 0xb0, 0xff, 0xd0, 0x52, 0x1f, 0xf7, 0x04, 0x6a, 0x10, 0xdd, 0x4d, 0xd7, 0x20, 0xba, 0x5c, 0xc8, - 0x30, 0xf7, 0x28, 0x3e, 0xf4, 0x03, 0x16, 0x3c, 0x7b, 0x70, 0x51, 0x6f, 0xf4, 0x1c, 0x54, 0xb6, - 0xa2, 0xb0, 0xdd, 0x12, 0x3a, 0x58, 0xd1, 0x61, 0x15, 0xd4, 0x31, 0x87, 0xd1, 0x4d, 0xd4, 0x8e, - 0x17, 0x34, 0xb2, 0x9b, 0xa8, 0x1b, 0x5e, 0xd0, 0xc0, 0x0c, 0xd2, 0x47, 0xd5, 0xd7, 0x9b, 0x30, - 0xb2, 0x10, 0x36, 0x9b, 0x4e, 0xd0, 0x40, 0xdf, 0x00, 0x23, 0x2e, 0xff, 0x29, 0xfc, 0x79, 0xec, - 0xe0, 0x5c, 0x40, 0xb1, 0x84, 0xa1, 0xa7, 0x61, 0xc8, 0x89, 0xb6, 0xa4, 0x0f, 0x8f, 0x05, 0xe4, - 0xcd, 0x45, 0x5b, 0x31, 0x66, 0xad, 0xf6, 0x5f, 0x5a, 0x30, 0x41, 0x1f, 0xf1, 0xd8, 0x00, 0xb3, - 0xa1, 0x7d, 0x1e, 0x86, 0x9d, 0x76, 0xb2, 0x1d, 0x76, 0xed, 0x09, 0xe7, 0x58, 0x2b, 0x16, 0x50, - 0xda, 0x59, 0x55, 0x48, 0xc3, 0xe8, 0xec, 0x22, 0x5d, 0x57, 0x0c, 0x42, 0xcd, 0xea, 0xb8, 0xbd, - 0x91, 0x77, 0x72, 0x5b, 0xe7, 0xcd, 0x58, 0xc2, 0x29, 0xb1, 0x8d, 0xb0, 0xd1, 0x11, 0x61, 0xc6, - 0x8a, 0xd8, 0x7c, 0xd8, 0xe8, 0x60, 0x06, 0x41, 0xcf, 0x40, 0x39, 0xde, 0x76, 0x64, 0x8c, 0x80, - 0x8c, 0x78, 0xaf, 0x5f, 0x9b, 0xc3, 0xb4, 0x5d, 0x25, 0x70, 0x44, 0x7e, 0x36, 0xde, 0x37, 0x9d, - 0xc0, 0x11, 0xf9, 0xf6, 0x3f, 0x1f, 0x02, 0x16, 0xfb, 0xe3, 0x44, 0xa4, 0xb1, 0x1e, 0xb2, 0x3a, - 0xcd, 0xc7, 0x7a, 0xc4, 0xae, 0x37, 0xd5, 0x8f, 0xf3, 0x31, 0xbb, 0x71, 0xd4, 0x5a, 0x3e, 0xe9, - 0xa3, 0xd6, 0xfc, 0xd3, 0xf3, 0xa1, 0xc7, 0xe8, 0xf4, 0xdc, 0xfe, 0xbc, 0x05, 0x48, 0x45, 0x72, - 0xe9, 0xf0, 0x96, 0x59, 0xa8, 0xa9, 0xd0, 0x31, 0xb1, 0x5e, 0xb4, 0x88, 0x96, 0x00, 0xac, 0x71, - 0xfa, 0xf0, 0xa4, 0x3c, 0x27, 0xf5, 0x67, 0x39, 0x2d, 0x4b, 0x98, 0xd6, 0x15, 0xea, 0xd4, 0xfe, - 0xd5, 0x12, 0x3c, 0xc1, 0x4d, 0xb7, 0x15, 0x27, 0x70, 0xb6, 0x48, 0x93, 0xf6, 0xaa, 0xdf, 0x80, - 0x25, 0x97, 0x6e, 0xe1, 0x3d, 0x99, 0xad, 0x31, 0xa8, 0xec, 0xe4, 0x72, 0x86, 0x4b, 0x96, 0xa5, - 0xc0, 0x4b, 0x30, 0x23, 0x8e, 0x62, 0xa8, 0xca, 0x3b, 0xa8, 0x84, 0x2e, 0x2c, 0x88, 0x91, 0x52, - 0x0b, 0xc2, 0xca, 0x21, 0x58, 0x31, 0xa2, 0xa6, 0x8c, 0x1f, 0xba, 0x3b, 0x74, 0xc9, 0x67, 0x4d, - 0x99, 0x65, 0xd1, 0x8e, 0x15, 0x86, 0xdd, 0x84, 0x53, 0x72, 0x0c, 0x5b, 0x37, 0x48, 0x07, 0x93, - 0x4d, 0xaa, 0xff, 0x5d, 0xd9, 0x64, 0x5c, 0x8b, 0xa5, 0xf4, 0xff, 0x82, 0x09, 0xc4, 0x69, 0x5c, - 0x59, 0xba, 0xb9, 0x94, 0x5f, 0xba, 0xd9, 0xfe, 0x55, 0x0b, 0xb2, 0x06, 0x08, 0x73, 0xc0, 0x99, - 0x77, 0x5c, 0xf5, 0xaa, 0xe9, 0x7e, 0x84, 0x6a, 0xae, 0x1f, 0x82, 0x51, 0x27, 0xa1, 0x16, 0x26, - 0xf7, 0x06, 0x95, 0x1f, 0xee, 0x14, 0x73, 0x25, 0x6c, 0x78, 0x9b, 0x1e, 0xf3, 0x02, 0x99, 0xe4, - 0xec, 0x1f, 0xad, 0x40, 0x6d, 0x31, 0xea, 0x1c, 0x3d, 0x6d, 0xae, 0x3b, 0x29, 0xae, 0x74, 0xa4, - 0xa4, 0x38, 0x99, 0x76, 0x57, 0xee, 0x99, 0x76, 0x27, 0xd3, 0xe6, 0x86, 0x1e, 0x55, 0xda, 0x5c, - 0xe5, 0x31, 0x49, 0x9b, 0x1b, 0x7e, 0x0c, 0xd2, 0xe6, 0x46, 0x4e, 0x38, 0x6d, 0xce, 0xfe, 0x1f, - 0x43, 0x30, 0xd9, 0x95, 0x05, 0x8c, 0x5e, 0x82, 0x31, 0xb5, 0x46, 0xe5, 0x01, 0x40, 0xcd, 0x0c, - 0xa3, 0xd7, 0x30, 0x9c, 0xc2, 0xec, 0x43, 0x50, 0x2f, 0xc1, 0x99, 0x88, 0xbc, 0xda, 0x26, 0x6d, - 0x32, 0xb7, 0x99, 0x90, 0xa8, 0x4e, 0xdc, 0x30, 0x68, 0xf0, 0x3a, 0xdf, 0xe5, 0xf9, 0x27, 0xef, - 0xef, 0x4f, 0x9f, 0xc1, 0xdd, 0x60, 0x9c, 0xf7, 0x0c, 0x6a, 0xc1, 0xb8, 0x6f, 0xee, 0x5c, 0xc5, - 0x1c, 0x7e, 0xa8, 0x4d, 0xaf, 0x92, 0x55, 0xa9, 0x66, 0x9c, 0x66, 0x90, 0xde, 0xfe, 0x56, 0x1e, - 0xd1, 0xf6, 0xf7, 0x53, 0x7a, 0xfb, 0xcb, 0xa3, 0xd2, 0x3e, 0x58, 0x70, 0x16, 0x78, 0x3f, 0xfb, - 0xdf, 0x41, 0x76, 0xb4, 0xef, 0x83, 0xaa, 0x8c, 0xd8, 0xed, 0x2b, 0xd2, 0xd5, 0xa4, 0xd3, 0x43, - 0xb3, 0x3f, 0x28, 0x41, 0x8e, 0xd3, 0x86, 0x4a, 0x5a, 0x6d, 0xed, 0xa7, 0x24, 0xed, 0xd1, 0x2c, - 0x7e, 0xb4, 0xc7, 0xa3, 0x95, 0xb9, 0x8d, 0xf7, 0xfe, 0xa2, 0x9d, 0x4e, 0x3a, 0x80, 0x59, 0xe9, - 0x3f, 0x15, 0xc4, 0x7c, 0x09, 0x40, 0x6f, 0x18, 0x85, 0xa5, 0xaf, 0xc2, 0x8f, 0xf4, 0xbe, 0x12, - 0x1b, 0x58, 0xe8, 0x45, 0x18, 0xf5, 0x82, 0x38, 0x71, 0x7c, 0xff, 0x9a, 0x17, 0x24, 0xc2, 0xfa, - 0x57, 0xc6, 0xec, 0x92, 0x06, 0x61, 0x13, 0xef, 0xc2, 0x7b, 0x8c, 0xef, 0x72, 0x94, 0xef, 0xb9, - 0x0d, 0xe7, 0xaf, 0x7a, 0x89, 0x12, 0x6d, 0x6a, 0x1e, 0xb1, 0x4d, 0x9e, 0xd4, 0x40, 0x56, 0x4f, - 0x0d, 0x64, 0xa4, 0xa1, 0x96, 0xd2, 0x59, 0xb3, 0xd9, 0x34, 0x54, 0xdb, 0x85, 0xb3, 0x57, 0xbd, - 0xe4, 0x8a, 0xe7, 0x93, 0x63, 0x64, 0xf2, 0x2b, 0xc3, 0x30, 0x66, 0x56, 0x87, 0x38, 0x8a, 0xbe, - 0xfe, 0x02, 0xdd, 0x9d, 0x88, 0x81, 0xf0, 0x54, 0x48, 0xc5, 0x9d, 0x81, 0x4b, 0x55, 0xe4, 0x0f, - 0xae, 0xb1, 0x41, 0xd1, 0x3c, 0xb1, 0xd9, 0x01, 0x74, 0x0f, 0x2a, 0x9b, 0x2c, 0xa3, 0xb2, 0x5c, - 0x44, 0x30, 0x5c, 0xde, 0xe0, 0xeb, 0x15, 0xc9, 0x73, 0x32, 0x39, 0x3f, 0x6a, 0x54, 0x46, 0xe9, - 0x44, 0x7e, 0x23, 0xcf, 0x45, 0x58, 0x2b, 0x0a, 0xa3, 0x97, 0x56, 0xa8, 0x3c, 0x84, 0x56, 0x48, - 0xc9, 0xe8, 0xe1, 0x47, 0x24, 0xa3, 0x59, 0x76, 0x6c, 0xb2, 0xcd, 0xb6, 0x3c, 0x22, 0x31, 0x6f, - 0x84, 0x0d, 0x82, 0x91, 0x1d, 0x9b, 0x02, 0xe3, 0x2c, 0x3e, 0xfa, 0xb8, 0x92, 0xf2, 0xd5, 0x22, - 0x8e, 0xac, 0xcc, 0x19, 0x7d, 0xdc, 0x02, 0xfe, 0xf3, 0x25, 0x98, 0xb8, 0x1a, 0xb4, 0xd7, 0xae, - 0xae, 0xb5, 0x37, 0x7c, 0xcf, 0xbd, 0x41, 0x3a, 0x54, 0x8a, 0xef, 0x90, 0xce, 0xd2, 0x62, 0xd6, - 0xd7, 0x73, 0x83, 0x36, 0x62, 0x0e, 0xa3, 0x72, 0x6b, 0xd3, 0x0b, 0xb6, 0x48, 0xd4, 0x8a, 0x3c, - 0x71, 0x9a, 0x64, 0xc8, 0xad, 0x2b, 0x1a, 0x84, 0x4d, 0x3c, 0x4a, 0x3b, 0xbc, 0x17, 0xa8, 0x52, - 0x5d, 0x8a, 0xf6, 0x2a, 0x6d, 0xc4, 0x1c, 0x46, 0x91, 0x92, 0xa8, 0x2d, 0x9c, 0xb5, 0x06, 0xd2, - 0x3a, 0x6d, 0xc4, 0x1c, 0x26, 0x7c, 0x2f, 0x2c, 0xd6, 0xb0, 0xd2, 0xe5, 0x7b, 0x61, 0x61, 0x3a, - 0x12, 0x4e, 0x51, 0x77, 0x48, 0x67, 0xd1, 0x49, 0x9c, 0xac, 0xeb, 0xe4, 0x06, 0x6f, 0xc6, 0x12, - 0xce, 0xea, 0x8d, 0xa7, 0x87, 0xe3, 0x6b, 0xae, 0xde, 0x78, 0xba, 0xfb, 0x3d, 0x5c, 0x7e, 0x3f, - 0x5a, 0x82, 0xb1, 0x37, 0xef, 0x22, 0xce, 0xb9, 0x0b, 0xeb, 0x0e, 0x4c, 0x76, 0xe5, 0xe4, 0xf7, - 0x61, 0xf9, 0x1c, 0x5a, 0x33, 0xc5, 0xc6, 0x30, 0x4a, 0x09, 0xcb, 0x3a, 0x9b, 0x0b, 0x30, 0xc9, - 0x17, 0x2f, 0xe5, 0xc4, 0x52, 0xac, 0x55, 0x9d, 0x05, 0x76, 0x5c, 0x7a, 0x3b, 0x0b, 0xc4, 0xdd, - 0xf8, 0xf6, 0x0f, 0x59, 0x30, 0x9e, 0x2a, 0x93, 0x50, 0x90, 0x8d, 0xc6, 0x56, 0x77, 0xc8, 0xe2, - 0xe4, 0x59, 0xde, 0x52, 0x99, 0xa9, 0x61, 0xbd, 0xba, 0x35, 0x08, 0x9b, 0x78, 0xf6, 0x6f, 0x95, - 0xa1, 0x2a, 0x63, 0xfa, 0xfa, 0xe8, 0xca, 0xe7, 0x2c, 0x18, 0x57, 0x47, 0xd4, 0xec, 0x4c, 0xa1, - 0x54, 0x44, 0xd6, 0x26, 0xed, 0x81, 0xf2, 0x8a, 0x05, 0x9b, 0xa1, 0xde, 0x30, 0x60, 0x93, 0x19, - 0x4e, 0xf3, 0x46, 0xb7, 0x01, 0xe2, 0x4e, 0x9c, 0x90, 0xa6, 0x71, 0xba, 0x61, 0x1b, 0xb3, 0x6c, - 0xc6, 0x0d, 0x23, 0x42, 0xe7, 0xd4, 0xcd, 0xb0, 0x41, 0xea, 0x0a, 0x53, 0x5b, 0x78, 0xba, 0x0d, - 0x1b, 0x94, 0xd0, 0x6b, 0x2a, 0xa0, 0x62, 0xa8, 0x08, 0xbd, 0x2e, 0xc7, 0xb7, 0x9f, 0x88, 0x8a, - 0x01, 0x22, 0x18, 0xec, 0x9f, 0x2d, 0xc1, 0xe9, 0xec, 0x48, 0xa2, 0x0f, 0xc2, 0x98, 0x1c, 0x34, - 0xc3, 0x79, 0x24, 0x03, 0x29, 0xc7, 0xb0, 0x01, 0x7b, 0xb0, 0x3f, 0x3d, 0xdd, 0x7d, 0xa9, 0xfd, - 0x8c, 0x89, 0x82, 0x53, 0xc4, 0x78, 0x78, 0x83, 0x88, 0xc3, 0x99, 0xef, 0xcc, 0xb5, 0x5a, 0x22, - 0x46, 0xc1, 0x08, 0x6f, 0x30, 0xa1, 0x38, 0x83, 0x8d, 0xd6, 0xe0, 0xac, 0xd1, 0x72, 0x93, 0x78, - 0x5b, 0xdb, 0x1b, 0x61, 0x24, 0xf7, 0xab, 0x4f, 0xeb, 0xb0, 0xed, 0x6e, 0x1c, 0x9c, 0xfb, 0x24, - 0x35, 0x8c, 0x5c, 0xa7, 0xe5, 0xb8, 0x5e, 0xd2, 0x11, 0xa7, 0x4c, 0x4a, 0x8c, 0x2f, 0x88, 0x76, - 0xac, 0x30, 0xec, 0x7f, 0x30, 0x04, 0xa7, 0x79, 0x9c, 0x32, 0x51, 0x61, 0xf8, 0xe8, 0x83, 0x50, - 0x8b, 0x13, 0x27, 0xe2, 0xae, 0x2a, 0xeb, 0xc8, 0xa2, 0x4b, 0xd7, 0x76, 0x90, 0x44, 0xb0, 0xa6, - 0x87, 0x3e, 0xc0, 0x0a, 0xe3, 0x79, 0xf1, 0x36, 0xa3, 0x5e, 0x7a, 0x38, 0x47, 0xd8, 0x15, 0x45, - 0x01, 0x1b, 0xd4, 0xd0, 0xb7, 0x42, 0xa5, 0xb5, 0xed, 0xc4, 0xd2, 0x4b, 0xfb, 0xbc, 0x94, 0x13, - 0x6b, 0xb4, 0xf1, 0xc1, 0xfe, 0xf4, 0xb9, 0xec, 0xab, 0x32, 0x00, 0xe6, 0x0f, 0x99, 0x52, 0x7e, - 0xe8, 0x10, 0x29, 0xff, 0x3c, 0x0c, 0x37, 0xa2, 0x4e, 0xfd, 0xda, 0x5c, 0xf6, 0x7e, 0xa3, 0x45, - 0xd6, 0x8a, 0x05, 0x94, 0xca, 0xa4, 0x6d, 0xce, 0xb2, 0x41, 0x91, 0x87, 0xd3, 0x16, 0xc7, 0x35, - 0x0d, 0xc2, 0x26, 0x1e, 0xfa, 0x7c, 0x77, 0x14, 0xfb, 0xc8, 0x31, 0x64, 0x39, 0xf5, 0x1b, 0xbf, - 0x7e, 0x19, 0x6a, 0xa2, 0xab, 0xeb, 0x21, 0x7a, 0x09, 0xc6, 0xb8, 0x13, 0x70, 0x3e, 0x72, 0x02, - 0x77, 0x3b, 0xeb, 0xbc, 0x59, 0x37, 0x60, 0x38, 0x85, 0x69, 0xaf, 0xc0, 0x50, 0x9f, 0x42, 0xb6, - 0xaf, 0x3d, 0xf9, 0xfb, 0xa0, 0x4a, 0xc9, 0xc9, 0x0d, 0x5a, 0x11, 0x24, 0x43, 0xa8, 0xca, 0x8b, - 0x51, 0x91, 0x0d, 0x65, 0xcf, 0x91, 0xd1, 0x4a, 0x6a, 0x09, 0x2d, 0xc5, 0x71, 0x9b, 0x4d, 0x3b, - 0x0a, 0x44, 0xcf, 0x41, 0x99, 0xec, 0xb5, 0xb2, 0x61, 0x49, 0x97, 0xf7, 0x5a, 0x5e, 0x44, 0x62, - 0x8a, 0x44, 0xf6, 0x5a, 0xe8, 0x02, 0x94, 0xbc, 0x86, 0x98, 0x91, 0x20, 0x70, 0x4a, 0x4b, 0x8b, - 0xb8, 0xe4, 0x35, 0xec, 0x3d, 0xa8, 0xa9, 0x9b, 0x58, 0xd1, 0x8e, 0x34, 0xa9, 0xac, 0x22, 0xe2, - 0xd4, 0x25, 0xdd, 0x1e, 0xc6, 0x54, 0x1b, 0x40, 0x17, 0x0d, 0x29, 0x4a, 0x05, 0x5f, 0x84, 0x21, - 0x37, 0x14, 0xe5, 0x9e, 0xaa, 0x9a, 0x0c, 0xb3, 0xa5, 0x18, 0xc4, 0xbe, 0x03, 0x13, 0x37, 0x82, - 0xf0, 0x1e, 0xbb, 0x13, 0x8d, 0x95, 0x00, 0xa7, 0x84, 0x37, 0xe9, 0x8f, 0xac, 0xe5, 0xce, 0xa0, - 0x98, 0xc3, 0x54, 0xa1, 0xdf, 0x52, 0xaf, 0x42, 0xbf, 0xf6, 0x27, 0x2c, 0x18, 0x53, 0x5e, 0xd8, - 0xab, 0xbb, 0x3b, 0xfd, 0x9d, 0xfe, 0x1a, 0x65, 0x39, 0x4a, 0x87, 0x94, 0xe5, 0x90, 0x07, 0xc5, - 0xe5, 0x5e, 0x07, 0xc5, 0xf6, 0x5f, 0x59, 0x70, 0x5a, 0x75, 0x41, 0xda, 0x4c, 0x2f, 0xc1, 0xd8, - 0x46, 0xdb, 0xf3, 0x1b, 0xb2, 0xb6, 0x79, 0x66, 0xb9, 0xcc, 0x1b, 0x30, 0x9c, 0xc2, 0x44, 0x97, - 0x00, 0x36, 0xbc, 0xc0, 0x89, 0x3a, 0x6b, 0xda, 0x48, 0x53, 0x7a, 0x7b, 0x5e, 0x41, 0xb0, 0x81, - 0x85, 0x3e, 0x06, 0xd5, 0x5d, 0x19, 0x1f, 0x50, 0x2e, 0xb4, 0x9a, 0x84, 0x18, 0x0f, 0xbd, 0x12, - 0x54, 0xc0, 0x81, 0xe2, 0x68, 0x7f, 0xb1, 0x0c, 0x13, 0xe9, 0x0a, 0x10, 0x7d, 0x78, 0x4e, 0x9e, - 0x83, 0x0a, 0x2b, 0x0a, 0x91, 0x9d, 0x58, 0xbc, 0x18, 0x39, 0x87, 0xa1, 0x18, 0x86, 0xb9, 0x28, - 0x29, 0xe6, 0xda, 0x5e, 0xd5, 0x49, 0xe5, 0x9f, 0x65, 0xce, 0x6b, 0x71, 0xd8, 0x21, 0x58, 0xa1, - 0x4f, 0x5b, 0x30, 0x12, 0xb6, 0xcc, 0x0a, 0xb3, 0xef, 0x2f, 0xb2, 0x3a, 0x86, 0x48, 0x41, 0x17, - 0xd6, 0x90, 0x9a, 0x78, 0x72, 0x32, 0x48, 0xd6, 0x17, 0xbe, 0x05, 0xc6, 0x4c, 0xcc, 0xc3, 0x0c, - 0xa2, 0xaa, 0x69, 0x10, 0x7d, 0xce, 0x9c, 0x92, 0xa2, 0xfe, 0x47, 0x1f, 0x8b, 0xfd, 0x16, 0x54, - 0x5c, 0x15, 0x70, 0xf9, 0x50, 0xf7, 0x71, 0xa8, 0xfa, 0x78, 0x2c, 0x98, 0x85, 0x53, 0xb3, 0xff, - 0xd0, 0x32, 0xe6, 0x07, 0x26, 0xf1, 0x52, 0x03, 0x45, 0x50, 0xde, 0xda, 0xdd, 0x11, 0x46, 0xc6, - 0xf5, 0x82, 0x86, 0xf7, 0xea, 0xee, 0x8e, 0x5e, 0x61, 0x66, 0x2b, 0xa6, 0xcc, 0xfa, 0x38, 0x44, - 0x48, 0x95, 0x89, 0x29, 0x1f, 0x5e, 0x26, 0xc6, 0x7e, 0xa3, 0x04, 0x93, 0x5d, 0x93, 0x0a, 0xbd, - 0x06, 0x95, 0x88, 0xbe, 0xa5, 0x78, 0xbd, 0xe5, 0xc2, 0x0a, 0xbb, 0xc4, 0x4b, 0x0d, 0xad, 0xbc, - 0xd3, 0xed, 0x98, 0xb3, 0x44, 0xd7, 0x01, 0xe9, 0xb0, 0x60, 0x75, 0x82, 0xc1, 0x5f, 0x59, 0xc5, - 0x0e, 0xce, 0x75, 0x61, 0xe0, 0x9c, 0xa7, 0xd0, 0xcb, 0xd9, 0x83, 0x90, 0x4c, 0xcd, 0xf2, 0x83, - 0xce, 0x34, 0xec, 0xd7, 0xcd, 0x29, 0x78, 0x5b, 0x0b, 0xd3, 0x41, 0x37, 0xa7, 0x5d, 0x92, 0xb5, - 0xdc, 0xaf, 0x64, 0xb5, 0x7f, 0xa9, 0x04, 0xe3, 0xa9, 0x1a, 0xc4, 0xc8, 0x87, 0x2a, 0xf1, 0xd9, - 0x79, 0xbd, 0xd4, 0xbe, 0x83, 0x5e, 0xa1, 0xa4, 0xe4, 0xe4, 0x65, 0x41, 0x17, 0x2b, 0x0e, 0x8f, - 0x47, 0x94, 0xe3, 0x4b, 0x30, 0x26, 0x3b, 0xf4, 0x7e, 0xa7, 0xe9, 0x67, 0x87, 0xef, 0xb2, 0x01, - 0xc3, 0x29, 0x4c, 0xfb, 0xd7, 0xca, 0x30, 0xc5, 0x03, 0x1c, 0x1a, 0x6a, 0x31, 0xa8, 0x40, 0xa5, - 0x1f, 0xd4, 0x95, 0xc2, 0xf9, 0x40, 0x6e, 0x0c, 0x7a, 0x63, 0x61, 0x3e, 0xa3, 0xbe, 0x82, 0xf3, - 0x7f, 0x22, 0x13, 0x9c, 0xcf, 0xb7, 0xea, 0x5b, 0xc7, 0xd4, 0xa3, 0xaf, 0xad, 0x68, 0xfd, 0x7f, - 0x52, 0x82, 0x53, 0x99, 0xeb, 0x20, 0xd1, 0x17, 0xd3, 0x37, 0x08, 0x59, 0x45, 0x1c, 0xff, 0x1d, - 0x78, 0x43, 0xe0, 0xd1, 0xee, 0x11, 0x7a, 0x44, 0x4b, 0xc5, 0xfe, 0xfd, 0x12, 0x4c, 0xa4, 0xef, - 0xb1, 0x7c, 0x0c, 0x47, 0xea, 0xed, 0x50, 0x63, 0x57, 0xb5, 0xdd, 0x20, 0x1d, 0x79, 0xca, 0xc8, - 0x6f, 0xc5, 0x92, 0x8d, 0x58, 0xc3, 0x1f, 0x8b, 0xeb, 0x99, 0xec, 0x7f, 0x6a, 0xc1, 0x39, 0xfe, - 0x96, 0xd9, 0x79, 0xf8, 0xb7, 0xf2, 0x46, 0xf7, 0x95, 0x62, 0x3b, 0x98, 0xa9, 0x70, 0x7f, 0xd8, - 0xf8, 0x52, 0xe3, 0xe5, 0xac, 0xe8, 0x6d, 0x7a, 0x2a, 0x3c, 0x86, 0x9d, 0x3d, 0xd2, 0x64, 0xb0, - 0xff, 0x7d, 0x09, 0x46, 0x57, 0x17, 0x96, 0x94, 0x08, 0x9f, 0x85, 0x9a, 0x1b, 0x11, 0x47, 0xbb, - 0x7f, 0xcc, 0xf0, 0x39, 0x09, 0xc0, 0x1a, 0x87, 0xee, 0xa2, 0x78, 0xf8, 0x69, 0x9c, 0xdd, 0x45, - 0xf1, 0xe8, 0xd4, 0x18, 0x4b, 0x38, 0x7a, 0x01, 0xaa, 0x2c, 0x49, 0xfd, 0x56, 0x24, 0x35, 0x8e, - 0xde, 0x5a, 0xb3, 0x76, 0xbc, 0x8c, 0x15, 0x06, 0x25, 0xdc, 0x08, 0xdd, 0x98, 0x22, 0x67, 0x3c, - 0x32, 0x8b, 0xb4, 0x19, 0x2f, 0x63, 0x09, 0x67, 0x35, 0x46, 0x99, 0xd7, 0x82, 0x22, 0x57, 0xd2, - 0x9d, 0xe6, 0xee, 0x0d, 0x8a, 0xae, 0x71, 0x8e, 0x52, 0x8b, 0x36, 0x93, 0x28, 0x3a, 0xd2, 0x5f, - 0xa2, 0xa8, 0xfd, 0xfb, 0x65, 0xa8, 0x69, 0xa7, 0x9a, 0x27, 0x2a, 0xb3, 0x14, 0x72, 0x83, 0x42, - 0xbd, 0x13, 0xb8, 0x8a, 0x34, 0x8f, 0x26, 0x30, 0x0a, 0xb3, 0x7c, 0xbf, 0x05, 0xa3, 0x5e, 0xe0, - 0x25, 0x9e, 0xc3, 0x7c, 0x83, 0xc5, 0x5c, 0xad, 0xaf, 0xd8, 0x2d, 0x71, 0xca, 0x61, 0x64, 0x1e, - 0xf9, 0x2b, 0x66, 0xd8, 0xe4, 0x8c, 0x3e, 0x2a, 0xf2, 0x12, 0xcb, 0x85, 0x95, 0x37, 0xaa, 0x66, - 0x92, 0x11, 0x5b, 0xd4, 0xc6, 0x4e, 0xa2, 0x82, 0xaa, 0x82, 0x61, 0x4a, 0x4a, 0xdd, 0xe4, 0xa3, - 0x76, 0x31, 0xac, 0x19, 0x73, 0x46, 0x76, 0x0c, 0xa8, 0x7b, 0x2c, 0x8e, 0x98, 0xf3, 0x35, 0x0b, - 0x35, 0xa7, 0x9d, 0x84, 0x4d, 0x3a, 0x4c, 0x22, 0x60, 0x40, 0x67, 0xb5, 0x49, 0x00, 0xd6, 0x38, - 0xf6, 0x17, 0x2b, 0x90, 0xa9, 0x93, 0x82, 0xf6, 0xa0, 0xa6, 0x2a, 0xa5, 0x14, 0x93, 0x43, 0xad, - 0x67, 0x94, 0xea, 0x8c, 0x6a, 0xc2, 0x9a, 0x19, 0xda, 0x92, 0x6e, 0x56, 0xbe, 0xda, 0xdf, 0x97, - 0x75, 0xb3, 0x7e, 0x47, 0x7f, 0xa7, 0x6e, 0x74, 0xae, 0xce, 0xf2, 0xca, 0x98, 0x33, 0x87, 0x7a, - 0x64, 0xcb, 0x87, 0x78, 0x64, 0x3f, 0x29, 0xee, 0xfa, 0xc3, 0x24, 0x6e, 0xfb, 0x89, 0x98, 0x0d, - 0xef, 0x2b, 0x70, 0x95, 0x71, 0xc2, 0xba, 0xde, 0x18, 0xff, 0x8f, 0x0d, 0xa6, 0x69, 0xbf, 0xf9, - 0xf0, 0xb1, 0xfa, 0xcd, 0x47, 0x0a, 0xf5, 0x9b, 0x5f, 0x02, 0x60, 0x73, 0x9b, 0xe7, 0xa6, 0x54, - 0x99, 0x3b, 0x53, 0xa9, 0x18, 0xac, 0x20, 0xd8, 0xc0, 0xb2, 0xbf, 0x09, 0xd2, 0x05, 0xf3, 0xd0, - 0xb4, 0xac, 0xcf, 0xc7, 0x4f, 0x04, 0x59, 0x5a, 0x70, 0xaa, 0x94, 0xde, 0x2f, 0x58, 0x60, 0x56, - 0xf5, 0x43, 0xaf, 0xf2, 0xf2, 0x81, 0x56, 0x11, 0x27, 0x4c, 0x06, 0xdd, 0x99, 0x15, 0xa7, 0x95, - 0x89, 0x76, 0x92, 0x35, 0x04, 0x2f, 0xbc, 0x07, 0xaa, 0x12, 0x7a, 0x24, 0x63, 0xf9, 0xe3, 0x70, - 0x46, 0x96, 0x18, 0x91, 0x87, 0x41, 0x22, 0xea, 0xe0, 0x64, 0x32, 0x4c, 0x7e, 0xd1, 0x82, 0x8b, - 0xd9, 0x0e, 0xc4, 0x2b, 0x61, 0xe0, 0x25, 0x61, 0x54, 0x27, 0x49, 0xe2, 0x05, 0x5b, 0xac, 0xca, - 0xf3, 0x3d, 0x27, 0x92, 0x37, 0x7d, 0x31, 0x41, 0x79, 0xc7, 0x89, 0x02, 0xcc, 0x5a, 0x51, 0x07, - 0x86, 0x79, 0x00, 0xbd, 0xd8, 0x05, 0x0d, 0xb8, 0x36, 0x72, 0x86, 0x43, 0x6f, 0xc3, 0x78, 0xf0, - 0x3e, 0x16, 0x0c, 0xed, 0xaf, 0x58, 0x80, 0x56, 0x77, 0x49, 0x14, 0x79, 0x0d, 0x23, 0xe4, 0x9f, - 0xdd, 0x99, 0x6b, 0xdc, 0x8d, 0x6b, 0x16, 0xc0, 0xc9, 0xdc, 0x99, 0x6b, 0xfc, 0xcb, 0xbf, 0x33, - 0xb7, 0x74, 0xb4, 0x3b, 0x73, 0xd1, 0x2a, 0x9c, 0x6b, 0xf2, 0x6d, 0x1c, 0xbf, 0x87, 0x92, 0xef, - 0xe9, 0x54, 0xad, 0x86, 0xf3, 0xf7, 0xf7, 0xa7, 0xcf, 0xad, 0xe4, 0x21, 0xe0, 0xfc, 0xe7, 0xec, - 0xf7, 0x00, 0xe2, 0xa1, 0xaf, 0x0b, 0x79, 0xe1, 0xaa, 0x3d, 0xdd, 0x1c, 0xf6, 0x97, 0x2a, 0x70, - 0x2a, 0x73, 0x0f, 0x0c, 0xdd, 0x42, 0x77, 0xc7, 0xc7, 0x0e, 0xac, 0xbf, 0xbb, 0xbb, 0xd7, 0x57, - 0xc4, 0x6d, 0x00, 0x15, 0x2f, 0x68, 0xb5, 0x93, 0x62, 0x4a, 0xc5, 0xf0, 0x4e, 0x2c, 0x51, 0x82, - 0xc6, 0xb9, 0x04, 0xfd, 0x8b, 0x39, 0x9b, 0x22, 0xe3, 0x77, 0x53, 0x9b, 0x9c, 0xa1, 0x47, 0xe4, - 0x66, 0xf9, 0xa4, 0x8e, 0xa6, 0xad, 0x14, 0xe1, 0x43, 0xce, 0x4c, 0x96, 0xe3, 0x0e, 0xb5, 0xfa, - 0xb9, 0x12, 0x8c, 0x1a, 0x1f, 0x0d, 0xfd, 0x64, 0xba, 0xe6, 0xad, 0x55, 0xdc, 0x2b, 0x31, 0xfa, - 0x33, 0xba, 0xaa, 0x2d, 0x7f, 0xa5, 0xe7, 0xbb, 0xcb, 0xdd, 0x3e, 0xd8, 0x9f, 0x3e, 0x9d, 0x29, - 0x68, 0x9b, 0x2a, 0x81, 0x7b, 0xe1, 0xbb, 0xe1, 0x54, 0x86, 0x4c, 0xce, 0x2b, 0xaf, 0x9b, 0xaf, - 0x3c, 0xb0, 0xbb, 0xcf, 0x1c, 0xb2, 0x9f, 0xa1, 0x43, 0x26, 0x2a, 0x54, 0x84, 0x3e, 0xe9, 0xc3, - 0xd7, 0x99, 0xd9, 0x5f, 0x94, 0xfa, 0x2c, 0x44, 0xf3, 0x36, 0xa8, 0xb6, 0x42, 0xdf, 0x73, 0x3d, - 0x55, 0x32, 0x9f, 0x95, 0xbe, 0x59, 0x13, 0x6d, 0x58, 0x41, 0xd1, 0x3d, 0xa8, 0xdd, 0xbd, 0x97, - 0xf0, 0x63, 0x46, 0x71, 0x94, 0x51, 0xd4, 0xe9, 0xa2, 0x32, 0x5a, 0xd4, 0x39, 0x26, 0xd6, 0xbc, - 0x90, 0x0d, 0xc3, 0x4c, 0x09, 0xca, 0x6c, 0x55, 0x76, 0xcc, 0xc2, 0xb4, 0x63, 0x8c, 0x05, 0xc4, - 0xfe, 0xb7, 0xa3, 0x70, 0x36, 0xef, 0x32, 0x2e, 0xf4, 0x31, 0x18, 0xe6, 0x7d, 0x2c, 0xe6, 0xbe, - 0xc7, 0x3c, 0x1e, 0x57, 0x19, 0x41, 0xd1, 0x2d, 0xf6, 0x1b, 0x0b, 0x9e, 0x82, 0xbb, 0xef, 0x6c, - 0x88, 0x19, 0x72, 0x3c, 0xdc, 0x97, 0x1d, 0xcd, 0x7d, 0xd9, 0xe1, 0xdc, 0x7d, 0x67, 0x03, 0xed, - 0x41, 0x65, 0xcb, 0x4b, 0x88, 0x23, 0x9c, 0x33, 0x77, 0x8e, 0x85, 0x39, 0x71, 0xb8, 0x95, 0xc6, - 0x7e, 0x62, 0xce, 0x10, 0x7d, 0xd9, 0x82, 0x53, 0x1b, 0xe9, 0x0a, 0x58, 0x42, 0x78, 0x3a, 0xc7, - 0x70, 0xe1, 0x5a, 0x9a, 0x11, 0xbf, 0x34, 0x3a, 0xd3, 0x88, 0xb3, 0xdd, 0x41, 0x9f, 0xb2, 0x60, - 0x64, 0xd3, 0xf3, 0x8d, 0x1b, 0x6d, 0x8e, 0xe1, 0xe3, 0x5c, 0x61, 0x0c, 0xf4, 0x8e, 0x83, 0xff, - 0x8f, 0xb1, 0xe4, 0xdc, 0x4b, 0x53, 0x0d, 0x0f, 0xaa, 0xa9, 0x46, 0x1e, 0x91, 0xa6, 0xfa, 0xac, - 0x05, 0x35, 0x35, 0xd2, 0xa2, 0x92, 0xd0, 0x07, 0x8f, 0xf1, 0x93, 0x73, 0x8f, 0x94, 0xfa, 0x8b, - 0x35, 0x73, 0xf4, 0xba, 0x05, 0xa3, 0xce, 0x6b, 0xed, 0x88, 0x34, 0xc8, 0x6e, 0xd8, 0x8a, 0x45, - 0x89, 0xdf, 0x57, 0x8a, 0xef, 0xcc, 0x1c, 0x65, 0xb2, 0x48, 0x76, 0x57, 0x5b, 0xb1, 0xc8, 0xa4, - 0xd7, 0x0d, 0xd8, 0xec, 0x02, 0xfa, 0x3e, 0xad, 0xc7, 0xa1, 0x88, 0x42, 0xef, 0x79, 0xbd, 0xe9, - 0xab, 0x30, 0x04, 0x81, 0xa7, 0xdc, 0x30, 0x48, 0xbc, 0xa0, 0x4d, 0x56, 0x03, 0x4c, 0x5a, 0xe1, - 0xcd, 0x30, 0xb9, 0x12, 0xb6, 0x83, 0xc6, 0xe5, 0x28, 0x0a, 0x23, 0x56, 0x2a, 0xc9, 0xb8, 0xe6, - 0x77, 0xa1, 0x37, 0x2a, 0x3e, 0x88, 0xce, 0x20, 0x36, 0xc3, 0x7e, 0x09, 0xa6, 0x0f, 0x19, 0x6c, - 0xf4, 0x12, 0x8c, 0x85, 0xd1, 0x96, 0x13, 0x78, 0xaf, 0x99, 0xd5, 0xff, 0x94, 0x41, 0xba, 0x6a, - 0xc0, 0x70, 0x0a, 0xd3, 0x2c, 0x0b, 0x55, 0x3a, 0xa4, 0x2c, 0xd4, 0x45, 0x18, 0x8a, 0x48, 0x2b, - 0xcc, 0xee, 0xab, 0x58, 0xc2, 0x29, 0x83, 0xa0, 0x67, 0xa0, 0xec, 0xb4, 0x3c, 0xe1, 0x5c, 0x54, - 0xdb, 0xc5, 0xb9, 0xb5, 0x25, 0x4c, 0xdb, 0x53, 0x55, 0xea, 0x2a, 0x27, 0x52, 0xa5, 0x8e, 0x6a, - 0x4c, 0x71, 0x7c, 0x36, 0xac, 0x35, 0x66, 0xfa, 0x58, 0xcb, 0x7e, 0xa3, 0x0c, 0xcf, 0x1c, 0xb8, - 0xb4, 0x74, 0xc8, 0xba, 0x75, 0x40, 0xc8, 0xba, 0x1c, 0x9e, 0xd2, 0x61, 0xc3, 0x53, 0xee, 0x31, - 0x3c, 0x9f, 0xa2, 0x12, 0x43, 0x56, 0x4d, 0x14, 0x4a, 0x62, 0xc0, 0x34, 0x82, 0x5e, 0x45, 0x18, - 0x85, 0xb0, 0x90, 0x50, 0xac, 0xf9, 0xd2, 0xed, 0x52, 0xaa, 0x24, 0x52, 0xa5, 0x08, 0x8d, 0xd9, - 0xb3, 0x72, 0x21, 0x17, 0x13, 0xbd, 0xea, 0x2c, 0xd9, 0xbf, 0x3c, 0x04, 0xcf, 0xf5, 0xa1, 0xe8, - 0xcc, 0x59, 0x6c, 0xf5, 0x39, 0x8b, 0xbf, 0xc6, 0x3f, 0xd3, 0x67, 0x72, 0x3f, 0x13, 0x2e, 0xfe, - 0x33, 0x1d, 0xfc, 0x85, 0xd8, 0x09, 0x44, 0x10, 0x13, 0xb7, 0x1d, 0xf1, 0xf4, 0x1d, 0x23, 0x1b, - 0x7d, 0x49, 0xb4, 0x63, 0x85, 0x41, 0xb7, 0xbf, 0xae, 0x43, 0x97, 0xff, 0x48, 0x41, 0x25, 0x70, - 0xcc, 0xc4, 0x76, 0x6e, 0x7d, 0x2d, 0xcc, 0x51, 0x09, 0xc0, 0xd9, 0xd8, 0xbf, 0x6e, 0xc1, 0x85, - 0xde, 0xd6, 0x08, 0x7a, 0x27, 0x8c, 0x6e, 0xb0, 0x60, 0xca, 0x15, 0x16, 0x32, 0x25, 0xa6, 0x0e, - 0x7b, 0x5f, 0xdd, 0x8c, 0x4d, 0x1c, 0xb4, 0x00, 0x93, 0x66, 0x14, 0xe6, 0x8a, 0x11, 0x6b, 0xc5, - 0xfc, 0x25, 0xeb, 0x59, 0x20, 0xee, 0xc6, 0x47, 0x33, 0x00, 0x89, 0x97, 0xf8, 0x84, 0x3f, 0xcd, - 0x27, 0x1a, 0x73, 0x28, 0xae, 0xab, 0x56, 0x6c, 0x60, 0xd8, 0x5f, 0x2d, 0xe7, 0xbf, 0x06, 0xb7, - 0x72, 0x8f, 0x32, 0xfb, 0xc5, 0xdc, 0x2e, 0xf5, 0x21, 0xa1, 0xcb, 0x27, 0x2d, 0xa1, 0x87, 0x7a, - 0x49, 0x68, 0xb4, 0x08, 0xa7, 0x8d, 0x8b, 0x83, 0x79, 0x11, 0x25, 0x7e, 0x28, 0xa5, 0x2a, 0x20, - 0xae, 0x65, 0xe0, 0xb8, 0xeb, 0x89, 0xc7, 0x7c, 0xaa, 0xfe, 0x46, 0x09, 0xce, 0xf7, 0xdc, 0x58, - 0x9c, 0x90, 0x06, 0x32, 0x3f, 0xff, 0xd0, 0xc9, 0x7c, 0x7e, 0xf3, 0xa3, 0x54, 0x0e, 0xfd, 0x28, - 0xfd, 0xa8, 0xf3, 0x3f, 0x28, 0xf5, 0x5c, 0x2c, 0x74, 0x23, 0xfa, 0xd7, 0x76, 0x24, 0x5f, 0x86, - 0x71, 0xa7, 0xd5, 0xe2, 0x78, 0x2c, 0x33, 0x23, 0x53, 0x95, 0x75, 0xce, 0x04, 0xe2, 0x34, 0x6e, - 0x5f, 0x03, 0xfb, 0x27, 0x16, 0xd4, 0x30, 0xd9, 0xe4, 0x12, 0x0e, 0xdd, 0x15, 0x43, 0x64, 0x15, - 0x71, 0x35, 0x06, 0x1d, 0xd8, 0xd8, 0x63, 0x85, 0x17, 0xf2, 0x06, 0x7b, 0xd0, 0xba, 0x1a, 0xea, - 0xba, 0xe1, 0x72, 0xef, 0xeb, 0x86, 0xed, 0x5f, 0xa9, 0xd1, 0xd7, 0x6b, 0x85, 0x0b, 0x11, 0x69, - 0xc4, 0xf4, 0xfb, 0xb6, 0x23, 0x5f, 0x4c, 0x12, 0xf5, 0x7d, 0x6f, 0xe1, 0x65, 0x4c, 0xdb, 0x53, - 0xe7, 0x93, 0xa5, 0x23, 0xd5, 0xa4, 0x2c, 0x1f, 0x5a, 0x93, 0xf2, 0x65, 0x18, 0x8f, 0xe3, 0xed, - 0xb5, 0xc8, 0xdb, 0x75, 0x12, 0x72, 0x83, 0xc8, 0x82, 0x51, 0xba, 0x3e, 0x5b, 0xfd, 0x9a, 0x06, - 0xe2, 0x34, 0x2e, 0xba, 0x0a, 0x93, 0xba, 0x32, 0x24, 0x89, 0x12, 0x96, 0xf2, 0xc8, 0x67, 0x82, - 0x2a, 0x06, 0xa4, 0x6b, 0x49, 0x0a, 0x04, 0xdc, 0xfd, 0x0c, 0x95, 0xb9, 0xa9, 0x46, 0xda, 0x91, - 0xe1, 0xb4, 0xcc, 0x4d, 0xd1, 0xa1, 0x7d, 0xe9, 0x7a, 0x02, 0xad, 0xc0, 0x19, 0x3e, 0x31, 0xe6, - 0x5a, 0x2d, 0xe3, 0x8d, 0x46, 0xd2, 0xf7, 0x11, 0x5c, 0xed, 0x46, 0xc1, 0x79, 0xcf, 0xa1, 0x17, - 0x61, 0x54, 0x35, 0x2f, 0x2d, 0x8a, 0xa3, 0x35, 0xe5, 0xda, 0x53, 0x64, 0x96, 0x1a, 0xd8, 0xc4, - 0x43, 0xef, 0x87, 0x27, 0xf5, 0x5f, 0x9e, 0x42, 0xcf, 0xcf, 0x9b, 0x17, 0x45, 0xd1, 0x5d, 0x75, - 0xdd, 0xdd, 0xd5, 0x5c, 0xb4, 0x06, 0xee, 0xf5, 0x3c, 0xda, 0x80, 0x0b, 0x0a, 0x74, 0x39, 0x48, - 0x58, 0x92, 0x6b, 0x4c, 0xe6, 0x9d, 0x98, 0x45, 0x4e, 0x00, 0x7b, 0x4f, 0x5b, 0x50, 0xbf, 0x70, - 0xd5, 0x4b, 0xae, 0xe5, 0x61, 0xe2, 0x65, 0x7c, 0x00, 0x15, 0x34, 0x0b, 0x35, 0x12, 0x38, 0x1b, - 0x3e, 0x59, 0x5d, 0x58, 0x12, 0x3b, 0x52, 0x9d, 0x1d, 0x21, 0x01, 0x58, 0xe3, 0xa8, 0xf8, 0xfe, - 0xb1, 0x5e, 0xf1, 0xfd, 0x68, 0x0d, 0xce, 0x6e, 0xb9, 0x2d, 0x6a, 0x65, 0x7a, 0x2e, 0x99, 0x73, - 0x59, 0x40, 0x31, 0xfd, 0x30, 0xfc, 0xa2, 0x08, 0x95, 0x28, 0x75, 0x75, 0x61, 0xad, 0x0b, 0x07, - 0xe7, 0x3e, 0xc9, 0x02, 0xcf, 0xa3, 0x70, 0xaf, 0x33, 0x75, 0x26, 0x13, 0x78, 0x4e, 0x1b, 0x31, - 0x87, 0xa1, 0xeb, 0x80, 0x58, 0xb2, 0xe0, 0xb5, 0x24, 0x69, 0x29, 0xb3, 0x76, 0xea, 0x6c, 0xba, - 0x04, 0xe7, 0x95, 0x2e, 0x0c, 0x9c, 0xf3, 0x14, 0xb5, 0x7a, 0x82, 0x90, 0x51, 0x9f, 0x7a, 0x32, - 0x6d, 0xf5, 0xdc, 0xe4, 0xcd, 0x58, 0xc2, 0xd1, 0x87, 0x60, 0xaa, 0x1d, 0x13, 0xb6, 0x61, 0xbe, - 0x13, 0x46, 0x3b, 0x7e, 0xe8, 0x34, 0x96, 0xd8, 0xbd, 0xc6, 0x49, 0x67, 0x6a, 0x8a, 0x31, 0xbf, - 0x28, 0x9e, 0x9d, 0xba, 0xd5, 0x03, 0x0f, 0xf7, 0xa4, 0x90, 0xad, 0x21, 0x7b, 0xbe, 0xcf, 0x1a, - 0xb2, 0x6b, 0x70, 0x56, 0xea, 0xb5, 0xd5, 0x85, 0x25, 0xf5, 0xd2, 0x53, 0x17, 0xd2, 0x17, 0x25, - 0x2e, 0xe5, 0xe0, 0xe0, 0xdc, 0x27, 0xed, 0x3f, 0xb6, 0x60, 0x5c, 0x49, 0xb0, 0x13, 0x48, 0x5a, - 0xf6, 0xd3, 0x49, 0xcb, 0x57, 0x07, 0xd7, 0x01, 0xac, 0xe7, 0x3d, 0x52, 0x6c, 0x7e, 0x69, 0x1c, - 0x40, 0xeb, 0x09, 0xa5, 0xa2, 0xad, 0x9e, 0x2a, 0xfa, 0xb1, 0x95, 0xd1, 0x79, 0x35, 0x41, 0x2b, - 0x8f, 0xb6, 0x26, 0x68, 0x1d, 0xce, 0xc9, 0x29, 0xc5, 0x8f, 0x94, 0xaf, 0x85, 0xb1, 0x12, 0xf9, - 0xc6, 0xcd, 0x97, 0x4b, 0x79, 0x48, 0x38, 0xff, 0xd9, 0x94, 0x6d, 0x37, 0x72, 0xa8, 0x6d, 0xa7, - 0xa4, 0xdc, 0xf2, 0xa6, 0xbc, 0x97, 0x36, 0x23, 0xe5, 0x96, 0xaf, 0xd4, 0xb1, 0xc6, 0xc9, 0x57, - 0x75, 0xb5, 0x82, 0x54, 0x1d, 0x1c, 0x59, 0xd5, 0x49, 0xa1, 0x3b, 0xda, 0x53, 0xe8, 0xca, 0xa3, - 0xab, 0xb1, 0x9e, 0x47, 0x57, 0xef, 0x85, 0x09, 0x2f, 0xd8, 0x26, 0x91, 0x97, 0x90, 0x06, 0x5b, - 0x0b, 0x4c, 0x20, 0x57, 0xb5, 0xa1, 0xb3, 0x94, 0x82, 0xe2, 0x0c, 0x76, 0x5a, 0x53, 0x4c, 0xf4, - 0xa1, 0x29, 0x7a, 0xe8, 0xe7, 0x53, 0xc5, 0xe8, 0xe7, 0xd3, 0x83, 0xeb, 0xe7, 0xc9, 0x63, 0xd5, - 0xcf, 0xa8, 0x10, 0xfd, 0xdc, 0x97, 0xea, 0x33, 0x36, 0xe9, 0x67, 0x0f, 0xd9, 0xa4, 0xf7, 0x52, - 0xce, 0xe7, 0x1e, 0x5a, 0x39, 0xe7, 0xeb, 0xdd, 0x27, 0xde, 0xd4, 0xbb, 0x45, 0xe8, 0x5d, 0xfa, - 0xfd, 0x1b, 0xa4, 0x95, 0x6c, 0x4f, 0x3d, 0xc5, 0x26, 0xab, 0xfa, 0xfe, 0x8b, 0xb4, 0x11, 0x73, - 0x98, 0xfd, 0xd9, 0x12, 0x9c, 0xd3, 0xea, 0x8b, 0x0a, 0x0d, 0x6f, 0x93, 0x0a, 0x70, 0x76, 0x23, - 0x3c, 0x3f, 0x15, 0x37, 0xf2, 0xe9, 0x75, 0x45, 0x01, 0x05, 0xc1, 0x06, 0x16, 0x4b, 0x4b, 0x27, - 0x11, 0xbb, 0x8b, 0x28, 0xab, 0xdb, 0x16, 0x44, 0x3b, 0x56, 0x18, 0x74, 0xa4, 0xe8, 0x6f, 0x51, - 0x15, 0x25, 0x5b, 0xe5, 0x7e, 0x41, 0x83, 0xb0, 0x89, 0x87, 0xde, 0xc6, 0x99, 0x30, 0xb9, 0x4a, - 0xf5, 0xdb, 0x18, 0xdf, 0x7b, 0x2a, 0x51, 0xaa, 0xa0, 0xb2, 0x3b, 0xac, 0x6c, 0x42, 0xa5, 0xbb, - 0x3b, 0x2c, 0xc0, 0x54, 0x61, 0xd8, 0xff, 0xd3, 0x82, 0xf3, 0xb9, 0x43, 0x71, 0x02, 0x36, 0xcb, - 0x5e, 0xda, 0x66, 0xa9, 0x17, 0xb5, 0x6f, 0x35, 0xde, 0xa2, 0x87, 0xfd, 0xf2, 0x1f, 0x2c, 0x98, - 0xd0, 0xf8, 0x27, 0xf0, 0xaa, 0x5e, 0xfa, 0x55, 0x8b, 0xdb, 0xa2, 0xd7, 0xba, 0xde, 0xed, 0xd7, - 0x4a, 0xa0, 0x6e, 0x9e, 0x98, 0x73, 0x93, 0xfe, 0x72, 0xd2, 0x3a, 0x30, 0xcc, 0xc2, 0x4c, 0xe2, - 0x62, 0x42, 0xe8, 0xd2, 0xfc, 0x59, 0xc8, 0x8a, 0x3e, 0xf5, 0x63, 0x7f, 0x63, 0x2c, 0x18, 0xb2, - 0x9b, 0xb2, 0x78, 0x51, 0xff, 0x86, 0xc8, 0xae, 0xd6, 0x37, 0x65, 0x89, 0x76, 0xac, 0x30, 0xa8, - 0x56, 0xf5, 0xdc, 0x30, 0x58, 0xf0, 0x9d, 0x38, 0x16, 0x86, 0x9e, 0xd2, 0xaa, 0x4b, 0x12, 0x80, - 0x35, 0x0e, 0x8b, 0x40, 0xf1, 0xe2, 0x96, 0xef, 0x74, 0x0c, 0x47, 0x8c, 0x51, 0xfd, 0x4b, 0x81, - 0xb0, 0x89, 0x67, 0x37, 0x61, 0x2a, 0xfd, 0x12, 0x8b, 0x64, 0x93, 0x85, 0x7f, 0xf7, 0x35, 0x9c, - 0xb3, 0x50, 0x73, 0xd8, 0x53, 0xcb, 0x6d, 0x47, 0xc8, 0x04, 0x1d, 0x04, 0x2d, 0x01, 0x58, 0xe3, - 0xd8, 0xdf, 0x0c, 0x67, 0x72, 0xc6, 0xac, 0x8f, 0x28, 0xbb, 0x5f, 0x2a, 0xc1, 0xa9, 0xf4, 0x93, - 0x31, 0x4b, 0x90, 0xe4, 0x7d, 0xf6, 0x62, 0x37, 0xdc, 0x25, 0x51, 0x87, 0x76, 0xc3, 0xca, 0x24, - 0x48, 0x76, 0x61, 0xe0, 0x9c, 0xa7, 0xd8, 0x25, 0x30, 0x0d, 0xf5, 0xea, 0x72, 0x7a, 0xdc, 0x2e, - 0x72, 0x7a, 0xe8, 0x91, 0x35, 0x23, 0x83, 0x14, 0x4b, 0x6c, 0xf2, 0xa7, 0x46, 0x12, 0x4b, 0xef, - 0x98, 0x6f, 0x7b, 0x7e, 0xe2, 0x05, 0xe2, 0x95, 0xc5, 0xc4, 0x51, 0x46, 0xd2, 0x4a, 0x37, 0x0a, - 0xce, 0x7b, 0xce, 0xfe, 0xca, 0x10, 0xa8, 0x32, 0x29, 0x2c, 0x72, 0xb3, 0xa0, 0xb8, 0xd7, 0xa3, - 0xa6, 0xd9, 0xaa, 0x2f, 0x3d, 0x74, 0x50, 0x28, 0x15, 0x77, 0xa5, 0x99, 0x3e, 0x77, 0x35, 0x60, - 0xeb, 0x1a, 0x84, 0x4d, 0x3c, 0xda, 0x13, 0xdf, 0xdb, 0x25, 0xfc, 0xa1, 0xe1, 0x74, 0x4f, 0x96, - 0x25, 0x00, 0x6b, 0x1c, 0x56, 0x67, 0xdd, 0xdb, 0xdc, 0x14, 0x7e, 0x21, 0x5d, 0x67, 0xdd, 0xdb, - 0xdc, 0xc4, 0x0c, 0xc2, 0xaf, 0x09, 0x0b, 0x77, 0xc4, 0xc6, 0xc0, 0xb8, 0x26, 0x2c, 0xdc, 0xc1, - 0x0c, 0x42, 0xbf, 0x52, 0x10, 0x46, 0x4d, 0xc7, 0xf7, 0x5e, 0x23, 0x0d, 0xc5, 0x45, 0x6c, 0x08, - 0xd4, 0x57, 0xba, 0xd9, 0x8d, 0x82, 0xf3, 0x9e, 0xa3, 0x13, 0xba, 0x15, 0x91, 0x86, 0xe7, 0x26, - 0x26, 0x35, 0x48, 0x4f, 0xe8, 0xb5, 0x2e, 0x0c, 0x9c, 0xf3, 0x14, 0x9a, 0x83, 0x53, 0xb2, 0xcc, - 0x8d, 0x2c, 0x0d, 0x39, 0x9a, 0xae, 0x2f, 0x87, 0xd3, 0x60, 0x9c, 0xc5, 0xa7, 0x12, 0xab, 0x29, - 0xca, 0x15, 0xb3, 0xfd, 0x83, 0x21, 0xb1, 0x64, 0x19, 0x63, 0xac, 0x30, 0xec, 0x4f, 0x96, 0xa9, - 0x86, 0xed, 0x51, 0x15, 0xfc, 0xc4, 0xe2, 0xac, 0xd3, 0x33, 0x72, 0xa8, 0x8f, 0x19, 0xf9, 0x6e, - 0x18, 0xbb, 0x1b, 0x87, 0x81, 0x8a, 0x61, 0xae, 0xf4, 0x8c, 0x61, 0x36, 0xb0, 0xf2, 0x63, 0x98, - 0x87, 0x8b, 0x8a, 0x61, 0x1e, 0x79, 0xc8, 0x18, 0xe6, 0x7f, 0x5d, 0x01, 0x75, 0x0f, 0xec, 0x4d, - 0x92, 0xdc, 0x0b, 0xa3, 0x1d, 0x2f, 0xd8, 0x62, 0x25, 0x5b, 0xbe, 0x6c, 0xc9, 0xaa, 0x2f, 0xcb, - 0x66, 0x6e, 0xef, 0x66, 0x41, 0x77, 0x79, 0xa6, 0x98, 0xcd, 0xac, 0x1b, 0x8c, 0x78, 0x2c, 0x4c, - 0xa6, 0xba, 0x8c, 0x70, 0xf3, 0xa7, 0x7a, 0x84, 0xbe, 0x1b, 0x40, 0x3a, 0xd1, 0x37, 0xa5, 0x04, - 0x5e, 0x2a, 0xa6, 0x7f, 0x98, 0x6c, 0x6a, 0xfb, 0x76, 0x5d, 0x31, 0xc1, 0x06, 0x43, 0xf4, 0x59, - 0x9d, 0xf7, 0xcc, 0x93, 0x9d, 0x3e, 0x7a, 0x2c, 0x63, 0xd3, 0x4f, 0xd6, 0x33, 0x86, 0x11, 0x2f, - 0xd8, 0xa2, 0xf3, 0x44, 0xc4, 0x7a, 0xbe, 0x35, 0xaf, 0x22, 0xd8, 0x72, 0xe8, 0x34, 0xe6, 0x1d, - 0xdf, 0x09, 0x5c, 0x12, 0x2d, 0x71, 0x74, 0xbd, 0x31, 0x12, 0x0d, 0x58, 0x12, 0xea, 0xba, 0xac, - 0xb6, 0xd2, 0xcf, 0x65, 0xb5, 0x17, 0xbe, 0x1d, 0x26, 0xbb, 0x3e, 0xe6, 0x91, 0x92, 0x9c, 0x07, - 0xa8, 0x05, 0xf6, 0xcb, 0xc3, 0x5a, 0x69, 0xdd, 0x0c, 0x1b, 0xfc, 0xee, 0xd3, 0x48, 0x7f, 0x51, - 0x61, 0xbf, 0x16, 0x38, 0x45, 0x94, 0x9a, 0x31, 0x1a, 0xb1, 0xc9, 0x92, 0xce, 0xd1, 0x96, 0x13, - 0x91, 0xe0, 0xb8, 0xe7, 0xe8, 0x9a, 0x62, 0x82, 0x0d, 0x86, 0x68, 0x3b, 0x95, 0x8d, 0x77, 0x65, - 0xf0, 0x6c, 0x3c, 0x56, 0x9f, 0x35, 0xef, 0x8a, 0xc0, 0xd7, 0x2d, 0x98, 0x08, 0x52, 0x33, 0xb7, - 0x98, 0x00, 0xfc, 0xfc, 0x55, 0xc1, 0xaf, 0x11, 0x4f, 0xb7, 0xe1, 0x0c, 0xff, 0x3c, 0x95, 0x56, - 0x39, 0xa2, 0x4a, 0xd3, 0x77, 0x2f, 0x0f, 0xf7, 0xba, 0x7b, 0x19, 0x05, 0xea, 0x52, 0xfc, 0x91, - 0x22, 0x6a, 0x9a, 0xa4, 0x6e, 0xc4, 0x87, 0x9c, 0xdb, 0xf0, 0xef, 0x98, 0xc9, 0xba, 0x47, 0xbf, - 0x1c, 0x7d, 0xbc, 0x57, 0x52, 0xaf, 0xfd, 0x7f, 0x86, 0xe0, 0xb4, 0x1c, 0x11, 0x99, 0xbc, 0x43, - 0xf5, 0x23, 0xe7, 0xab, 0x6d, 0x65, 0xa5, 0x1f, 0xaf, 0x49, 0x00, 0xd6, 0x38, 0xd4, 0x1e, 0x6b, - 0xc7, 0x64, 0xb5, 0x45, 0x82, 0x65, 0x6f, 0x23, 0x16, 0x07, 0xe6, 0x6a, 0xa1, 0xdc, 0xd2, 0x20, - 0x6c, 0xe2, 0xb1, 0x8c, 0x62, 0xd7, 0x2c, 0xeb, 0xa1, 0x33, 0x8a, 0x85, 0xa1, 0x2a, 0xe1, 0xe8, - 0xc7, 0x73, 0xaf, 0x29, 0x29, 0x26, 0xe5, 0xb5, 0x2b, 0x67, 0xe9, 0x68, 0xf7, 0x93, 0xa0, 0x7f, - 0x68, 0xc1, 0x39, 0xde, 0x2a, 0x47, 0xf2, 0x56, 0xab, 0xe1, 0x24, 0x24, 0x2e, 0xe6, 0x7a, 0xb9, - 0x9c, 0xfe, 0x69, 0xbf, 0x77, 0x1e, 0x5b, 0x9c, 0xdf, 0x1b, 0xf4, 0x45, 0x0b, 0x4e, 0xed, 0xa4, - 0xca, 0x72, 0x49, 0xd5, 0x31, 0x68, 0xcd, 0x9a, 0x14, 0x51, 0xbd, 0xd4, 0xd2, 0xed, 0x31, 0xce, - 0x72, 0xb7, 0xff, 0xd2, 0x02, 0x53, 0x8c, 0x9e, 0x7c, 0x35, 0xaf, 0xa3, 0x9b, 0x82, 0xd2, 0xba, - 0xac, 0xf4, 0xb4, 0x2e, 0x9f, 0x81, 0x72, 0xdb, 0x6b, 0x88, 0xfd, 0x85, 0x3e, 0xa2, 0x5f, 0x5a, - 0xc4, 0xb4, 0xdd, 0xfe, 0xd3, 0x8a, 0xf6, 0x49, 0x88, 0x8c, 0xd2, 0xbf, 0x16, 0xaf, 0xbd, 0xa9, - 0xca, 0xf4, 0xf2, 0x37, 0xbf, 0xd9, 0x55, 0xa6, 0xf7, 0x5b, 0x8f, 0x9e, 0x30, 0xcc, 0x07, 0xa8, - 0x57, 0x95, 0xde, 0x91, 0x43, 0xb2, 0x85, 0xef, 0x42, 0x95, 0x6e, 0xc1, 0x98, 0x73, 0xb1, 0x9a, - 0xea, 0x54, 0xf5, 0x9a, 0x68, 0x7f, 0xb0, 0x3f, 0xfd, 0x2d, 0x47, 0xef, 0x96, 0x7c, 0x1a, 0x2b, - 0xfa, 0x28, 0x86, 0x1a, 0xfd, 0xcd, 0x12, 0x9b, 0xc5, 0xe6, 0xee, 0x96, 0x92, 0x99, 0x12, 0x50, - 0x48, 0xd6, 0xb4, 0xe6, 0x83, 0x02, 0xa8, 0x51, 0x44, 0xce, 0x94, 0xef, 0x01, 0xd7, 0x54, 0x7a, - 0xb1, 0x04, 0x3c, 0xd8, 0x9f, 0x7e, 0xf9, 0xe8, 0x4c, 0xd5, 0xe3, 0x58, 0xb3, 0x30, 0x54, 0xe3, - 0x68, 0x2f, 0xd5, 0x68, 0xff, 0xdf, 0x21, 0x3d, 0xbf, 0x45, 0x05, 0xe7, 0xbf, 0x16, 0xf3, 0xfb, - 0xa5, 0xcc, 0xfc, 0xbe, 0xd8, 0x35, 0xbf, 0x27, 0xe8, 0x98, 0xe5, 0xd4, 0x95, 0x3e, 0x69, 0x63, - 0xe1, 0x70, 0x9f, 0x04, 0xb3, 0x92, 0x5e, 0x6d, 0x7b, 0x11, 0x89, 0xd7, 0xa2, 0x76, 0xe0, 0x05, - 0x5b, 0x6c, 0xca, 0x56, 0x4d, 0x2b, 0x29, 0x05, 0xc6, 0x59, 0x7c, 0xba, 0xf1, 0xa7, 0xf3, 0xe2, - 0x8e, 0xb3, 0xcb, 0x67, 0x9e, 0x51, 0x3d, 0xb3, 0x2e, 0xda, 0xb1, 0xc2, 0x40, 0xdb, 0xf0, 0xb4, - 0x24, 0xb0, 0x48, 0x7c, 0x42, 0x5f, 0x88, 0x85, 0x1e, 0x46, 0x4d, 0x9e, 0x18, 0xc0, 0xa3, 0x47, - 0xbe, 0x5e, 0x50, 0x78, 0x1a, 0x1f, 0x80, 0x8b, 0x0f, 0xa4, 0x64, 0xff, 0x11, 0x0b, 0x36, 0x30, - 0xea, 0x3b, 0xd0, 0xd9, 0xe7, 0x7b, 0x4d, 0x4f, 0x16, 0xf9, 0x54, 0xb3, 0x6f, 0x99, 0x36, 0x62, - 0x0e, 0x43, 0xf7, 0x60, 0x64, 0xc3, 0x71, 0x77, 0xc2, 0xcd, 0xcd, 0x62, 0xae, 0xe6, 0x9a, 0xe7, - 0xc4, 0x58, 0x81, 0xef, 0x11, 0xf1, 0xe7, 0x81, 0xfe, 0x89, 0x25, 0x37, 0x7e, 0x2d, 0x04, 0xbb, - 0xe9, 0x5b, 0x38, 0xee, 0x8c, 0x6b, 0x21, 0xf8, 0x05, 0xe0, 0x12, 0x6e, 0xff, 0x5e, 0x05, 0x4e, - 0xc9, 0xd8, 0xb1, 0x6b, 0x5e, 0xcc, 0xc2, 0x0d, 0xcc, 0x0b, 0x12, 0x4a, 0x87, 0x5e, 0x90, 0xf0, - 0x61, 0x80, 0x06, 0x69, 0xf9, 0x61, 0x87, 0xd9, 0x91, 0x43, 0x47, 0xb6, 0x23, 0xd5, 0xd6, 0x63, - 0x51, 0x51, 0xc1, 0x06, 0x45, 0x51, 0x04, 0x95, 0xdf, 0xb7, 0x90, 0x29, 0x82, 0x6a, 0xdc, 0xf5, - 0x37, 0x7c, 0xb2, 0x77, 0xfd, 0x79, 0x70, 0x8a, 0x77, 0x51, 0x15, 0x5c, 0x78, 0x88, 0xba, 0x0a, - 0x2c, 0x65, 0x6d, 0x31, 0x4d, 0x06, 0x67, 0xe9, 0x9a, 0x17, 0xf9, 0x55, 0x4f, 0xfa, 0x22, 0xbf, - 0xb7, 0x43, 0x4d, 0x7e, 0xe7, 0x78, 0xaa, 0xa6, 0x8b, 0x01, 0xc9, 0x69, 0x10, 0x63, 0x0d, 0xef, - 0xaa, 0x1d, 0x03, 0x8f, 0xaa, 0x76, 0x8c, 0xfd, 0x7a, 0x99, 0x6e, 0x40, 0x78, 0xbf, 0x8e, 0x7c, - 0x0f, 0xe6, 0x35, 0xe3, 0x1e, 0xcc, 0xa3, 0x7d, 0xcf, 0x6a, 0xe6, 0xbe, 0xcc, 0xa7, 0x61, 0x28, - 0x71, 0xb6, 0x64, 0x86, 0x2d, 0x83, 0xae, 0x3b, 0x5b, 0x31, 0x66, 0xad, 0x47, 0xa9, 0x19, 0xfd, - 0x32, 0x8c, 0xc7, 0xde, 0x56, 0xe0, 0x24, 0xed, 0x88, 0x18, 0xe7, 0x8e, 0x3a, 0x02, 0xc7, 0x04, - 0xe2, 0x34, 0x2e, 0xfa, 0x94, 0x05, 0x10, 0x11, 0xb5, 0xbd, 0x19, 0x2e, 0x62, 0x0e, 0x29, 0x31, - 0x20, 0xe9, 0x9a, 0x35, 0x3f, 0xd4, 0xb6, 0xc6, 0x60, 0x6b, 0x7f, 0xc6, 0x82, 0xc9, 0xae, 0xa7, - 0x50, 0x0b, 0x86, 0x5d, 0x76, 0x5b, 0x69, 0x31, 0x75, 0x2e, 0xd3, 0x37, 0x9f, 0x72, 0x3d, 0xc6, - 0xdb, 0xb0, 0xe0, 0x63, 0xff, 0xca, 0x18, 0x9c, 0xad, 0x2f, 0xac, 0xc8, 0x5b, 0x8e, 0x8e, 0x2d, - 0x65, 0x38, 0x8f, 0xc7, 0xc9, 0xa5, 0x0c, 0xf7, 0xe0, 0xee, 0x1b, 0x29, 0xc3, 0xbe, 0x91, 0x32, - 0x9c, 0xce, 0xdf, 0x2c, 0x17, 0x91, 0xbf, 0x99, 0xd7, 0x83, 0x7e, 0xf2, 0x37, 0x8f, 0x2d, 0x87, - 0xf8, 0xc0, 0x0e, 0x1d, 0x29, 0x87, 0x58, 0x25, 0x58, 0x17, 0x92, 0x2e, 0xd6, 0xe3, 0x53, 0xe5, - 0x26, 0x58, 0xab, 0xe4, 0x56, 0x9e, 0x0a, 0x29, 0x94, 0xde, 0x2b, 0xc5, 0x77, 0xa0, 0x8f, 0xe4, - 0x56, 0x91, 0x8d, 0x69, 0x26, 0x54, 0x8f, 0x14, 0x91, 0x50, 0x9d, 0xd7, 0x9d, 0x43, 0x13, 0xaa, - 0x5f, 0x86, 0x71, 0xd7, 0x0f, 0x03, 0xb2, 0x16, 0x85, 0x49, 0xe8, 0x86, 0xf2, 0x9e, 0x7a, 0x7d, - 0xcd, 0xa7, 0x09, 0xc4, 0x69, 0xdc, 0x5e, 0xd9, 0xd8, 0xb5, 0x41, 0xb3, 0xb1, 0xe1, 0x11, 0x65, - 0x63, 0x1b, 0xf9, 0xc6, 0xa3, 0x45, 0xe4, 0x1b, 0xe7, 0x7d, 0x91, 0xbe, 0xf2, 0x8d, 0xdf, 0xb0, - 0x60, 0xdc, 0xb9, 0xc7, 0xf6, 0x2d, 0x5c, 0x0a, 0xb3, 0xd3, 0xbc, 0xd1, 0x4b, 0x1f, 0x39, 0x86, - 0x09, 0x7b, 0xa7, 0xae, 0xd9, 0xcc, 0x4f, 0xb2, 0x1c, 0x10, 0xb3, 0x09, 0xa7, 0x3b, 0x32, 0x48, - 0x8e, 0xf2, 0x97, 0x4a, 0xf0, 0x75, 0x87, 0x76, 0x01, 0xdd, 0x03, 0x48, 0x9c, 0x2d, 0x31, 0x51, - 0xc5, 0x99, 0xd7, 0x80, 0x41, 0xc3, 0xeb, 0x92, 0x9e, 0xc8, 0x9f, 0x53, 0xe4, 0xb1, 0xc1, 0x8a, - 0xc5, 0x0a, 0x87, 0x7e, 0x57, 0x89, 0x6a, 0x1c, 0xfa, 0x04, 0x33, 0x08, 0x35, 0x84, 0x22, 0xb2, - 0x45, 0x8d, 0xfb, 0x72, 0xda, 0x10, 0xc2, 0xac, 0x15, 0x0b, 0x28, 0x7a, 0x11, 0x46, 0x1d, 0xdf, - 0xe7, 0xb9, 0x7c, 0x24, 0x16, 0xf7, 0xef, 0xea, 0xc2, 0xb4, 0x1a, 0x84, 0x4d, 0x3c, 0xfb, 0x2f, - 0x4a, 0x30, 0x7d, 0x88, 0x4c, 0xe9, 0xca, 0xe1, 0xae, 0xf4, 0x9d, 0xc3, 0x2d, 0x72, 0x91, 0x86, - 0x7b, 0xe4, 0x22, 0xbd, 0x08, 0xa3, 0x09, 0x71, 0x9a, 0x22, 0xcc, 0x30, 0x5b, 0x6f, 0x71, 0x5d, - 0x83, 0xb0, 0x89, 0x47, 0xa5, 0xd8, 0x84, 0xe3, 0xba, 0x24, 0x8e, 0x65, 0xb2, 0x91, 0x70, 0x88, - 0x17, 0x96, 0xc9, 0xc4, 0xce, 0x19, 0xe6, 0x52, 0x2c, 0x70, 0x86, 0x65, 0x76, 0xc0, 0x6b, 0x7d, - 0x0e, 0xf8, 0x4f, 0x95, 0xe0, 0x99, 0x03, 0xb5, 0x5b, 0xdf, 0x79, 0x60, 0xed, 0x98, 0x44, 0xd9, - 0x89, 0x73, 0x2b, 0x26, 0x11, 0x66, 0x10, 0x3e, 0x4a, 0xad, 0x96, 0x0a, 0x11, 0x2f, 0x3e, 0x71, - 0x92, 0x8f, 0x52, 0x8a, 0x05, 0xce, 0xb0, 0x7c, 0xd8, 0x69, 0xf9, 0x7b, 0x43, 0xf0, 0x5c, 0x1f, - 0x36, 0x40, 0x81, 0x09, 0xa6, 0xe9, 0xe4, 0xe9, 0xf2, 0x23, 0x4a, 0x9e, 0x7e, 0xb8, 0xe1, 0x7a, - 0x33, 0xe7, 0xba, 0xaf, 0x44, 0xd6, 0x9f, 0x29, 0xc1, 0x85, 0xde, 0x06, 0x0b, 0xfa, 0x36, 0x38, - 0x15, 0xa9, 0x50, 0x42, 0x33, 0xef, 0xfa, 0x0c, 0x77, 0x87, 0xa5, 0x40, 0x38, 0x8b, 0x8b, 0x66, - 0x00, 0x5a, 0x4e, 0xb2, 0x1d, 0x5f, 0xde, 0xf3, 0xe2, 0x44, 0x14, 0xaa, 0x9b, 0xe0, 0x87, 0xb4, - 0xb2, 0x15, 0x1b, 0x18, 0x94, 0x1d, 0xfb, 0xb7, 0x18, 0xde, 0x0c, 0x13, 0xfe, 0x10, 0xdf, 0x7a, - 0x9e, 0x91, 0xd7, 0x3a, 0x1a, 0x20, 0x9c, 0xc5, 0xa5, 0xec, 0x58, 0x18, 0x00, 0xef, 0xe8, 0x90, - 0xce, 0xd4, 0x5e, 0x56, 0xad, 0xd8, 0xc0, 0xc8, 0x66, 0x94, 0x57, 0x0e, 0xcf, 0x28, 0xb7, 0xff, - 0x45, 0x09, 0xce, 0xf7, 0x34, 0x78, 0xfb, 0x13, 0x53, 0x8f, 0x5f, 0x56, 0xf7, 0x43, 0xae, 0xb0, - 0x23, 0x65, 0x03, 0xdb, 0x7f, 0xd2, 0x63, 0xa6, 0x89, 0x4c, 0xdf, 0x87, 0x2f, 0x8a, 0xf2, 0xf8, - 0x8d, 0x67, 0x57, 0x72, 0xef, 0xd0, 0x11, 0x92, 0x7b, 0x33, 0x1f, 0xa3, 0xd2, 0xa7, 0x76, 0xf8, - 0x2f, 0x43, 0x3d, 0x87, 0x97, 0x6e, 0x90, 0xfb, 0x3a, 0x6c, 0x58, 0x84, 0xd3, 0x5e, 0xc0, 0x2e, - 0xea, 0xad, 0xb7, 0x37, 0x44, 0xed, 0x32, 0x5e, 0xa0, 0x57, 0xa5, 0xd6, 0x2c, 0x65, 0xe0, 0xb8, - 0xeb, 0x89, 0xc7, 0x30, 0xd9, 0xfa, 0xe1, 0x86, 0xf4, 0x88, 0x92, 0x7b, 0x15, 0xce, 0xc9, 0xa1, - 0xd8, 0x76, 0x22, 0xd2, 0x10, 0xca, 0x36, 0x16, 0xc9, 0x54, 0xe7, 0x79, 0x42, 0x56, 0x0e, 0x02, - 0xce, 0x7f, 0x8e, 0xdd, 0xaa, 0x1a, 0xb6, 0x3c, 0x57, 0x6c, 0x05, 0xf5, 0xad, 0xaa, 0xb4, 0x11, - 0x73, 0x98, 0xd6, 0x17, 0xb5, 0x93, 0xd1, 0x17, 0x1f, 0x86, 0x9a, 0x1a, 0x6f, 0x9e, 0x0b, 0xa1, - 0x26, 0x79, 0x57, 0x2e, 0x84, 0x9a, 0xe1, 0x06, 0x16, 0x9d, 0x1d, 0x74, 0xa3, 0x92, 0x59, 0xad, - 0x94, 0x1f, 0x6d, 0xb7, 0xdf, 0x05, 0x63, 0xca, 0x17, 0xd8, 0xef, 0xdd, 0xb6, 0xf6, 0x5f, 0x95, - 0x20, 0x73, 0x8d, 0x1b, 0xda, 0x83, 0x5a, 0x23, 0xea, 0xf0, 0xc6, 0x62, 0x0a, 0x44, 0x2f, 0x4a, - 0x72, 0xfa, 0xcc, 0x4c, 0x35, 0x61, 0xcd, 0x0c, 0x7d, 0x8c, 0xd7, 0x62, 0x16, 0xac, 0x4b, 0x45, - 0x24, 0xdc, 0xd7, 0x15, 0x3d, 0xf3, 0xf2, 0x4a, 0xd9, 0x86, 0x0d, 0x7e, 0x28, 0x81, 0xda, 0xb6, - 0xbc, 0xae, 0xae, 0x18, 0x71, 0xa7, 0x6e, 0xbf, 0xe3, 0x26, 0x9a, 0xfa, 0x8b, 0x35, 0x23, 0xfb, - 0x8f, 0x4b, 0x70, 0x36, 0xfd, 0x01, 0xc4, 0x19, 0xe7, 0xcf, 0x5a, 0xf0, 0xa4, 0xef, 0xc4, 0x49, - 0xbd, 0xcd, 0x36, 0x0a, 0x9b, 0x6d, 0x7f, 0x35, 0x53, 0xb6, 0x7b, 0x50, 0x67, 0x8b, 0x22, 0x9c, - 0xbd, 0xde, 0x70, 0xfe, 0xa9, 0xfb, 0xfb, 0xd3, 0x4f, 0x2e, 0xe7, 0x33, 0xc7, 0xbd, 0x7a, 0x85, - 0x5e, 0xb7, 0xe0, 0xb4, 0xdb, 0x8e, 0x22, 0x12, 0x24, 0xba, 0xab, 0xfc, 0x2b, 0xde, 0x2c, 0x64, - 0x20, 0x75, 0x07, 0xcf, 0x52, 0x81, 0xba, 0x90, 0xe1, 0x85, 0xbb, 0xb8, 0xdb, 0x3f, 0x48, 0x35, - 0x67, 0xcf, 0xf7, 0xfc, 0x1b, 0x76, 0x1f, 0xe3, 0x9f, 0x0d, 0xc3, 0x78, 0xaa, 0x36, 0x79, 0xea, - 0xb0, 0xcf, 0x3a, 0xf4, 0xb0, 0x8f, 0xa5, 0xff, 0xb5, 0x03, 0x79, 0x55, 0xbd, 0x91, 0xfe, 0xd7, - 0x0e, 0x08, 0xe6, 0x30, 0x31, 0xa4, 0xb8, 0x1d, 0x88, 0xd3, 0x47, 0x73, 0x48, 0x71, 0x3b, 0xc0, - 0x02, 0x8a, 0x3e, 0x61, 0xc1, 0x18, 0x5b, 0x7c, 0xe2, 0x54, 0x55, 0x28, 0xb4, 0xeb, 0x05, 0x2c, - 0x77, 0x59, 0x87, 0x9f, 0x85, 0x99, 0x9a, 0x2d, 0x38, 0xc5, 0x11, 0x7d, 0xda, 0x82, 0x9a, 0xba, - 0x17, 0x57, 0x9c, 0x8d, 0xd4, 0x8b, 0x2d, 0xfd, 0x9e, 0x91, 0x7a, 0xaa, 0x06, 0x37, 0xd6, 0x8c, - 0x51, 0xac, 0xce, 0x31, 0x47, 0x8e, 0xe7, 0x1c, 0x13, 0x72, 0xce, 0x30, 0xdf, 0x0e, 0xb5, 0xa6, - 0x13, 0x78, 0x9b, 0x24, 0x4e, 0xf8, 0xd1, 0xa2, 0xbc, 0xe9, 0x43, 0x36, 0x62, 0x0d, 0xa7, 0xc6, - 0x7e, 0xcc, 0x5e, 0x2c, 0x31, 0xce, 0x02, 0x99, 0xb1, 0x5f, 0xd7, 0xcd, 0xd8, 0xc4, 0x31, 0x0f, - 0x2e, 0xe1, 0x91, 0x1e, 0x5c, 0x8e, 0x1e, 0x72, 0x70, 0x59, 0x87, 0x73, 0x4e, 0x3b, 0x09, 0xaf, - 0x11, 0xc7, 0x9f, 0x4b, 0x12, 0xd2, 0x6c, 0x25, 0x31, 0x2f, 0x67, 0x3f, 0xc6, 0x5c, 0xc0, 0x2a, - 0x30, 0xae, 0x4e, 0xfc, 0xcd, 0x2e, 0x24, 0x9c, 0xff, 0xac, 0xfd, 0xcf, 0x2c, 0x38, 0x97, 0x3b, - 0x15, 0x1e, 0xdf, 0x94, 0x04, 0xfb, 0x47, 0x2a, 0x70, 0x26, 0xe7, 0xe6, 0x02, 0xd4, 0x31, 0x17, - 0x89, 0x55, 0x44, 0x74, 0x5f, 0x3a, 0x58, 0x4d, 0x7e, 0x9b, 0x9c, 0x95, 0x71, 0xb4, 0x58, 0x04, - 0x1d, 0x0f, 0x50, 0x3e, 0xd9, 0x78, 0x00, 0x63, 0xae, 0x0f, 0x3d, 0xd2, 0xb9, 0x5e, 0x39, 0x64, - 0xae, 0xff, 0x9c, 0x05, 0x53, 0xcd, 0x1e, 0xd7, 0x90, 0x89, 0xf3, 0xa4, 0xdb, 0xc7, 0x73, 0xc9, - 0xd9, 0xfc, 0xd3, 0xf7, 0xf7, 0xa7, 0x7b, 0xde, 0xfe, 0x86, 0x7b, 0xf6, 0xca, 0xfe, 0x4a, 0x19, - 0x98, 0xbd, 0xc6, 0xaa, 0x53, 0x77, 0xd0, 0xc7, 0xcd, 0x0b, 0x50, 0xac, 0xa2, 0x2e, 0xeb, 0xe0, - 0xc4, 0xd5, 0x05, 0x2a, 0x7c, 0x04, 0xf3, 0xee, 0x53, 0xc9, 0x4a, 0xc2, 0x52, 0x1f, 0x92, 0xd0, - 0x97, 0x37, 0xcd, 0x94, 0x8b, 0xbf, 0x69, 0xa6, 0x96, 0xbd, 0x65, 0xe6, 0xe0, 0x4f, 0x3c, 0xf4, - 0x58, 0x7e, 0xe2, 0x5f, 0xb3, 0xb8, 0xe0, 0xc9, 0x7c, 0x05, 0x6d, 0x6e, 0x58, 0x07, 0x98, 0x1b, - 0x2f, 0x40, 0x35, 0x16, 0x92, 0x59, 0x98, 0x25, 0x3a, 0x6a, 0x4c, 0xb4, 0x63, 0x85, 0x41, 0x77, - 0x5d, 0x8e, 0xef, 0x87, 0xf7, 0x2e, 0x37, 0x5b, 0x49, 0x47, 0x18, 0x28, 0x6a, 0x5b, 0x30, 0xa7, - 0x20, 0xd8, 0xc0, 0x42, 0xdf, 0x00, 0x23, 0xbc, 0x8c, 0x44, 0x43, 0x78, 0x77, 0x46, 0xe9, 0x42, - 0xe4, 0x45, 0x26, 0x1a, 0x58, 0xc2, 0xec, 0x6d, 0x30, 0xf6, 0x15, 0x0f, 0x7f, 0xdb, 0xf5, 0xe1, - 0x17, 0x58, 0xda, 0x7f, 0xbf, 0x24, 0x58, 0xf1, 0x7d, 0x82, 0x0e, 0x23, 0xb4, 0x8e, 0x18, 0x46, - 0xf8, 0x31, 0x00, 0x37, 0x6c, 0xb6, 0xe8, 0xce, 0x79, 0x3d, 0x2c, 0x66, 0xbb, 0xb5, 0xa0, 0xe8, - 0xe9, 0x71, 0xd5, 0x6d, 0xd8, 0xe0, 0x97, 0x12, 0xee, 0xe5, 0x43, 0x85, 0x7b, 0x4a, 0xce, 0x0d, - 0x1d, 0x2c, 0xe7, 0xec, 0xbf, 0xb0, 0x20, 0x65, 0xf7, 0xa1, 0x16, 0x54, 0x68, 0x77, 0x3b, 0x42, - 0x64, 0xac, 0x16, 0x67, 0x64, 0x52, 0x59, 0x2d, 0xd6, 0x21, 0xfb, 0x89, 0x39, 0x23, 0xe4, 0x8b, - 0x90, 0xc9, 0x42, 0xb6, 0x3f, 0x26, 0xc3, 0x6b, 0x61, 0xb8, 0xc3, 0xc3, 0x89, 0x74, 0xf8, 0xa5, - 0xfd, 0x12, 0x4c, 0x76, 0x75, 0x8a, 0xdd, 0x90, 0x1d, 0xca, 0x3d, 0xbc, 0xb1, 0x7e, 0x58, 0x3d, - 0x07, 0xcc, 0x61, 0xf6, 0xcf, 0x58, 0x70, 0x3a, 0x4b, 0x1e, 0xbd, 0x61, 0xc1, 0x64, 0x9c, 0xa5, - 0x77, 0x5c, 0x63, 0xa7, 0x52, 0x23, 0xba, 0x40, 0xb8, 0xbb, 0x13, 0xf6, 0x7f, 0x17, 0xfa, 0xe0, - 0x8e, 0x17, 0x34, 0xc2, 0x7b, 0xca, 0x52, 0xb2, 0x7a, 0x5a, 0x4a, 0x54, 0x40, 0xb8, 0xdb, 0xa4, - 0xd1, 0xf6, 0xbb, 0x0a, 0x48, 0xd4, 0x45, 0x3b, 0x56, 0x18, 0x2c, 0x5f, 0xbe, 0x2d, 0x76, 0xae, - 0x99, 0x49, 0xb9, 0x28, 0xda, 0xb1, 0xc2, 0x40, 0xef, 0x86, 0x31, 0xe3, 0x25, 0xe5, 0xbc, 0x64, - 0xdb, 0x0e, 0x43, 0x87, 0xc7, 0x38, 0x85, 0x85, 0x66, 0x00, 0x94, 0xd5, 0x25, 0x75, 0x36, 0x73, - 0xb5, 0x2b, 0xd1, 0x18, 0x63, 0x03, 0x83, 0x55, 0xa7, 0xf0, 0xdb, 0x31, 0x3b, 0x4b, 0x1e, 0xd6, - 0xf7, 0x35, 0x2c, 0x88, 0x36, 0xac, 0xa0, 0x54, 0xbc, 0x35, 0x9d, 0xa0, 0xed, 0xf8, 0x74, 0x84, - 0x84, 0xf3, 0x4c, 0x2d, 0xc3, 0x15, 0x05, 0xc1, 0x06, 0x16, 0x7d, 0xe3, 0xc4, 0x6b, 0x92, 0x0f, - 0x84, 0x81, 0x0c, 0x69, 0xd7, 0xe1, 0x05, 0xa2, 0x1d, 0x2b, 0x0c, 0xf4, 0x12, 0x8c, 0x3a, 0x41, - 0x83, 0x9b, 0x88, 0x61, 0x24, 0x4e, 0x29, 0xd5, 0xfe, 0xf3, 0x56, 0x4c, 0xe6, 0x34, 0x14, 0x9b, - 0xa8, 0xd9, 0xcb, 0x2a, 0xa0, 0xcf, 0xcb, 0xf0, 0xfe, 0xdc, 0x82, 0x53, 0xba, 0x26, 0x11, 0xf3, - 0xb1, 0xa5, 0x9c, 0x8b, 0xd6, 0xa1, 0xce, 0xc5, 0x74, 0xd5, 0x91, 0x52, 0x5f, 0x55, 0x47, 0xcc, - 0x82, 0x20, 0xe5, 0x03, 0x0b, 0x82, 0x7c, 0x03, 0x8c, 0xec, 0x90, 0x8e, 0x51, 0x39, 0x84, 0x69, - 0x87, 0x1b, 0xbc, 0x09, 0x4b, 0x18, 0xb2, 0x61, 0xd8, 0x75, 0x54, 0x89, 0xc2, 0x31, 0x11, 0x9d, - 0x36, 0xc7, 0x90, 0x04, 0xc4, 0x5e, 0x85, 0x9a, 0x3a, 0xd6, 0x97, 0xbe, 0x3e, 0x2b, 0xdf, 0xd7, - 0xd7, 0xd7, 0xb5, 0xfa, 0xf3, 0x1b, 0xbf, 0xf9, 0xd5, 0x67, 0xdf, 0xf2, 0xbb, 0x5f, 0x7d, 0xf6, - 0x2d, 0x7f, 0xf4, 0xd5, 0x67, 0xdf, 0xf2, 0x89, 0xfb, 0xcf, 0x5a, 0xbf, 0x79, 0xff, 0x59, 0xeb, - 0x77, 0xef, 0x3f, 0x6b, 0xfd, 0xd1, 0xfd, 0x67, 0xad, 0xaf, 0xdc, 0x7f, 0xd6, 0x7a, 0xfd, 0x3f, - 0x3f, 0xfb, 0x96, 0x0f, 0xe4, 0x26, 0x51, 0xd0, 0x1f, 0xef, 0x70, 0x1b, 0xb3, 0xbb, 0xef, 0x62, - 0x71, 0xfc, 0x74, 0x3d, 0xcf, 0x1a, 0x93, 0x78, 0x56, 0xae, 0xe7, 0xff, 0x17, 0x00, 0x00, 0xff, - 0xff, 0x4f, 0xf2, 0xd6, 0x99, 0x88, 0x04, 0x01, 0x00, + // 12482 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x7d, 0x6d, 0x70, 0x24, 0xdb, + 0x55, 0x98, 0x7b, 0x46, 0x23, 0xcd, 0x1c, 0x7d, 0xec, 0xea, 0xee, 0xee, 0x7b, 0xda, 0x7d, 0x1f, + 0x5a, 0xfa, 0xc1, 0xb3, 0x89, 0x9f, 0xb5, 0x78, 0xed, 0x67, 0x5e, 0x78, 0x60, 0xa2, 0x91, 0xf6, + 0x43, 0xbb, 0xd2, 0x4a, 0xbe, 0xa3, 0xdd, 0xf5, 0xd7, 0xb3, 0xdd, 0xea, 0xb9, 0x92, 0x7a, 0xd5, + 0xd3, 0x3d, 0xaf, 0xbb, 0x47, 0xbb, 0xf3, 0x30, 0xc6, 0xc6, 0x36, 0x18, 0x6c, 0xec, 0x17, 0x48, + 0x05, 0x93, 0xc4, 0x8e, 0x09, 0xe4, 0xa3, 0x2a, 0x45, 0x41, 0xc2, 0x8f, 0x50, 0x01, 0x8a, 0x0a, + 0x50, 0x14, 0x54, 0x48, 0x20, 0x14, 0x01, 0x12, 0x40, 0xb1, 0x37, 0x49, 0x41, 0xa5, 0x2a, 0x54, + 0x91, 0xe4, 0x47, 0x6a, 0x93, 0x50, 0xa9, 0xfb, 0x7d, 0xbb, 0xa7, 0x47, 0x1a, 0xed, 0xb4, 0xb4, + 0x6b, 0x78, 0xff, 0x66, 0xee, 0x39, 0x7d, 0xce, 0xed, 0xdb, 0xf7, 0x9e, 0x73, 0xee, 0xb9, 0xe7, + 0x9c, 0x0b, 0xcb, 0x5b, 0x5e, 0xb2, 0xdd, 0xd9, 0x98, 0x73, 0xc3, 0xd6, 0x05, 0x27, 0xda, 0x0a, + 0xdb, 0x51, 0x78, 0x87, 0xfd, 0x78, 0x9b, 0xdb, 0xbc, 0xb0, 0xfb, 0x8e, 0x0b, 0xed, 0x9d, 0xad, + 0x0b, 0x4e, 0xdb, 0x8b, 0x2f, 0x38, 0xed, 0xb6, 0xef, 0xb9, 0x4e, 0xe2, 0x85, 0xc1, 0x85, 0xdd, + 0xb7, 0x3b, 0x7e, 0x7b, 0xdb, 0x79, 0xfb, 0x85, 0x2d, 0x12, 0x90, 0xc8, 0x49, 0x48, 0x73, 0xae, + 0x1d, 0x85, 0x49, 0x88, 0xbe, 0x5d, 0x53, 0x9b, 0x93, 0xd4, 0xd8, 0x8f, 0x0f, 0xbb, 0xcd, 0xb9, + 0xdd, 0x77, 0xcc, 0xb5, 0x77, 0xb6, 0xe6, 0x28, 0xb5, 0x39, 0x83, 0xda, 0x9c, 0xa4, 0x76, 0xee, + 0x6d, 0x46, 0x5f, 0xb6, 0xc2, 0xad, 0xf0, 0x02, 0x23, 0xba, 0xd1, 0xd9, 0x64, 0xff, 0xd8, 0x1f, + 0xf6, 0x8b, 0x33, 0x3b, 0x67, 0xef, 0xbc, 0x14, 0xcf, 0x79, 0x21, 0xed, 0xde, 0x05, 0x37, 0x8c, + 0xc8, 0x85, 0xdd, 0x9e, 0x0e, 0x9d, 0xbb, 0xaa, 0x71, 0xc8, 0xbd, 0x84, 0x04, 0xb1, 0x17, 0x06, + 0xf1, 0xdb, 0x68, 0x17, 0x48, 0xb4, 0x4b, 0x22, 0xf3, 0xf5, 0x0c, 0x84, 0x3c, 0x4a, 0xef, 0xd4, + 0x94, 0x5a, 0x8e, 0xbb, 0xed, 0x05, 0x24, 0xea, 0xea, 0xc7, 0x5b, 0x24, 0x71, 0xf2, 0x9e, 0xba, + 0xd0, 0xef, 0xa9, 0xa8, 0x13, 0x24, 0x5e, 0x8b, 0xf4, 0x3c, 0xf0, 0xae, 0x83, 0x1e, 0x88, 0xdd, + 0x6d, 0xd2, 0x72, 0x7a, 0x9e, 0x7b, 0x47, 0xbf, 0xe7, 0x3a, 0x89, 0xe7, 0x5f, 0xf0, 0x82, 0x24, + 0x4e, 0xa2, 0xec, 0x43, 0xf6, 0xdf, 0xb3, 0x60, 0x72, 0xfe, 0x76, 0x63, 0xbe, 0x93, 0x6c, 0x2f, + 0x84, 0xc1, 0xa6, 0xb7, 0x85, 0x5e, 0x84, 0x71, 0xd7, 0xef, 0xc4, 0x09, 0x89, 0x6e, 0x38, 0x2d, + 0x32, 0x63, 0x9d, 0xb7, 0xde, 0x52, 0xab, 0x9f, 0xfa, 0xf5, 0xbd, 0xd9, 0x37, 0xdd, 0xdf, 0x9b, + 0x1d, 0x5f, 0xd0, 0x20, 0x6c, 0xe2, 0xa1, 0x6f, 0x86, 0xb1, 0x28, 0xf4, 0xc9, 0x3c, 0xbe, 0x31, + 0x53, 0x62, 0x8f, 0x9c, 0x10, 0x8f, 0x8c, 0x61, 0xde, 0x8c, 0x25, 0x9c, 0xa2, 0xb6, 0xa3, 0x70, + 0xd3, 0xf3, 0xc9, 0x4c, 0x39, 0x8d, 0xba, 0xc6, 0x9b, 0xb1, 0x84, 0xdb, 0x3f, 0x5e, 0x82, 0x13, + 0xf3, 0xed, 0xf6, 0x55, 0xe2, 0xf8, 0xc9, 0x76, 0x23, 0x71, 0x92, 0x4e, 0x8c, 0x42, 0x18, 0x8d, + 0xd9, 0x2f, 0xd1, 0xb7, 0xdb, 0xe2, 0xe9, 0x51, 0x0e, 0x7f, 0xb0, 0x37, 0x7b, 0x69, 0xbf, 0x19, + 0xbd, 0xe5, 0x25, 0x61, 0x3b, 0x7e, 0x1b, 0x09, 0xb6, 0xbc, 0x80, 0xb0, 0xf1, 0xd9, 0x66, 0xd4, + 0xe7, 0x4c, 0x26, 0x0b, 0x61, 0x93, 0x60, 0xc1, 0x86, 0xf6, 0xb7, 0x45, 0xe2, 0xd8, 0xd9, 0x22, + 0xd9, 0x57, 0x5b, 0xe1, 0xcd, 0x58, 0xc2, 0x51, 0x04, 0xc8, 0x77, 0xe2, 0x64, 0x3d, 0x72, 0x82, + 0xd8, 0xa3, 0x53, 0x7b, 0xdd, 0x6b, 0xf1, 0xb7, 0x1c, 0xbf, 0xf8, 0xd7, 0xe6, 0xf8, 0x07, 0x9a, + 0x33, 0x3f, 0x90, 0x5e, 0x0f, 0x74, 0xfe, 0xcc, 0xed, 0xbe, 0x7d, 0x8e, 0x3e, 0x51, 0x7f, 0xe2, + 0xfe, 0xde, 0x2c, 0x5a, 0xee, 0xa1, 0x84, 0x73, 0xa8, 0xdb, 0xbf, 0x57, 0x02, 0x98, 0x6f, 0xb7, + 0xd7, 0xa2, 0xf0, 0x0e, 0x71, 0x13, 0xf4, 0x11, 0xa8, 0x52, 0x52, 0x4d, 0x27, 0x71, 0xd8, 0x00, + 0x8d, 0x5f, 0xfc, 0x96, 0xc1, 0x18, 0xaf, 0x6e, 0xd0, 0xe7, 0x57, 0x48, 0xe2, 0xd4, 0x91, 0x78, + 0x41, 0xd0, 0x6d, 0x58, 0x51, 0x45, 0x01, 0x8c, 0xc4, 0x6d, 0xe2, 0xb2, 0xc1, 0x18, 0xbf, 0xb8, + 0x3c, 0x37, 0xcc, 0x8a, 0x9f, 0xd3, 0x3d, 0x6f, 0xb4, 0x89, 0x5b, 0x9f, 0x10, 0x9c, 0x47, 0xe8, + 0x3f, 0xcc, 0xf8, 0xa0, 0x5d, 0xf5, 0xc1, 0xf9, 0x40, 0xde, 0x28, 0x8c, 0x23, 0xa3, 0x5a, 0x9f, + 0x4a, 0x4f, 0x20, 0xf9, 0xdd, 0xed, 0x3f, 0xb6, 0x60, 0x4a, 0x23, 0x2f, 0x7b, 0x71, 0x82, 0x3e, + 0xd8, 0x33, 0xb8, 0x73, 0x83, 0x0d, 0x2e, 0x7d, 0x9a, 0x0d, 0xed, 0x49, 0xc1, 0xac, 0x2a, 0x5b, + 0x8c, 0x81, 0x6d, 0x41, 0xc5, 0x4b, 0x48, 0x2b, 0x9e, 0x29, 0x9d, 0x2f, 0xbf, 0x65, 0xfc, 0xe2, + 0xd5, 0xa2, 0xde, 0xb3, 0x3e, 0x29, 0x98, 0x56, 0x96, 0x28, 0x79, 0xcc, 0xb9, 0xd8, 0xbf, 0x39, + 0x65, 0xbe, 0x1f, 0x1d, 0x70, 0xf4, 0x76, 0x18, 0x8f, 0xc3, 0x4e, 0xe4, 0x12, 0x4c, 0xda, 0x21, + 0x5d, 0x60, 0x65, 0x3a, 0xdd, 0xe9, 0xc2, 0x6f, 0xe8, 0x66, 0x6c, 0xe2, 0xa0, 0xcf, 0x5b, 0x30, + 0xd1, 0x24, 0x71, 0xe2, 0x05, 0x8c, 0xbf, 0xec, 0xfc, 0xfa, 0xd0, 0x9d, 0x97, 0x8d, 0x8b, 0x9a, + 0x78, 0xfd, 0xb4, 0x78, 0x91, 0x09, 0xa3, 0x31, 0xc6, 0x29, 0xfe, 0x54, 0x80, 0x35, 0x49, 0xec, + 0x46, 0x5e, 0x9b, 0xfe, 0x17, 0x22, 0x46, 0x09, 0xb0, 0x45, 0x0d, 0xc2, 0x26, 0x1e, 0x0a, 0xa0, + 0x42, 0x05, 0x54, 0x3c, 0x33, 0xc2, 0xfa, 0xbf, 0x34, 0x5c, 0xff, 0xc5, 0xa0, 0x52, 0xd9, 0xa7, + 0x47, 0x9f, 0xfe, 0x8b, 0x31, 0x67, 0x83, 0xfe, 0xa5, 0x05, 0x33, 0x42, 0x80, 0x62, 0xc2, 0x07, + 0xf4, 0xf6, 0xb6, 0x97, 0x10, 0xdf, 0x8b, 0x93, 0x99, 0x0a, 0xeb, 0xc3, 0x07, 0x87, 0xeb, 0xc3, + 0x42, 0x9a, 0x3a, 0x26, 0x71, 0x12, 0x79, 0x2e, 0xc5, 0xa1, 0xd3, 0xa0, 0x7e, 0x5e, 0x74, 0x6b, + 0x66, 0xa1, 0x4f, 0x2f, 0x70, 0xdf, 0xfe, 0xa1, 0x1f, 0xb1, 0xe0, 0x5c, 0xe0, 0xb4, 0x48, 0xdc, + 0x76, 0x18, 0x61, 0x06, 0xae, 0xfb, 0x8e, 0xbb, 0xc3, 0xba, 0x3f, 0xca, 0xba, 0x7f, 0x61, 0xb0, + 0xa5, 0x71, 0x25, 0x0a, 0x3b, 0xed, 0xeb, 0x5e, 0xd0, 0xac, 0xdb, 0xa2, 0x47, 0xe7, 0x6e, 0xf4, + 0x25, 0x8d, 0xf7, 0x61, 0x8b, 0x7e, 0xc2, 0x82, 0xe9, 0x30, 0x6a, 0x6f, 0x3b, 0x01, 0x69, 0x4a, + 0x68, 0x3c, 0x33, 0xc6, 0xd6, 0xe9, 0x87, 0x86, 0x1b, 0xcb, 0xd5, 0x2c, 0xd9, 0x95, 0x30, 0xf0, + 0x92, 0x30, 0x6a, 0x90, 0x24, 0xf1, 0x82, 0xad, 0xb8, 0x7e, 0xe6, 0xfe, 0xde, 0xec, 0x74, 0x0f, + 0x16, 0xee, 0xed, 0x0f, 0xfa, 0x2e, 0x18, 0x8f, 0xbb, 0x81, 0x7b, 0xdb, 0x0b, 0x9a, 0xe1, 0xdd, + 0x78, 0xa6, 0x5a, 0xc4, 0x5a, 0x6f, 0x28, 0x82, 0x62, 0xb5, 0x6a, 0x06, 0xd8, 0xe4, 0x96, 0xff, + 0xe1, 0xf4, 0xbc, 0xab, 0x15, 0xfd, 0xe1, 0xf4, 0x64, 0xda, 0x87, 0x2d, 0xfa, 0x7e, 0x0b, 0x26, + 0x63, 0x6f, 0x2b, 0x70, 0x92, 0x4e, 0x44, 0xae, 0x93, 0x6e, 0x3c, 0x03, 0xac, 0x23, 0xd7, 0x86, + 0x1c, 0x15, 0x83, 0x64, 0xfd, 0x8c, 0xe8, 0xe3, 0xa4, 0xd9, 0x1a, 0xe3, 0x34, 0xdf, 0xbc, 0x55, + 0xa9, 0xa7, 0xf5, 0xf8, 0x23, 0x5c, 0x95, 0x7a, 0x05, 0xf4, 0xed, 0x1f, 0xfa, 0x1b, 0x70, 0x92, + 0x37, 0xa9, 0xcf, 0x10, 0xcf, 0x4c, 0x30, 0x11, 0x7e, 0xfa, 0xfe, 0xde, 0xec, 0xc9, 0x46, 0x06, + 0x86, 0x7b, 0xb0, 0xd1, 0xab, 0x30, 0xdb, 0x26, 0x51, 0xcb, 0x4b, 0x56, 0x03, 0xbf, 0x2b, 0x15, + 0x83, 0x1b, 0xb6, 0x49, 0x53, 0x74, 0x27, 0x9e, 0x99, 0x3c, 0x6f, 0xbd, 0xa5, 0x5a, 0x7f, 0xb3, + 0xe8, 0xe6, 0xec, 0xda, 0xfe, 0xe8, 0xf8, 0x20, 0x7a, 0xe8, 0xd7, 0x2c, 0x38, 0x67, 0xc8, 0xef, + 0x06, 0x89, 0x76, 0x3d, 0x97, 0xcc, 0xbb, 0x6e, 0xd8, 0x09, 0x92, 0x78, 0x66, 0x8a, 0x8d, 0xf9, + 0xc6, 0x51, 0x68, 0x93, 0x34, 0x2b, 0x3d, 0x89, 0xfb, 0xa2, 0xc4, 0x78, 0x9f, 0x9e, 0xda, 0xbf, + 0x51, 0x82, 0x93, 0x59, 0xdb, 0x02, 0xfd, 0x23, 0x0b, 0x4e, 0xdc, 0xb9, 0x9b, 0xac, 0x87, 0x3b, + 0x24, 0x88, 0xeb, 0x5d, 0xaa, 0x01, 0x98, 0x56, 0x1d, 0xbf, 0xe8, 0x16, 0x6b, 0xc5, 0xcc, 0x5d, + 0x4b, 0x73, 0xb9, 0x14, 0x24, 0x51, 0xb7, 0xfe, 0xa4, 0x78, 0xa7, 0x13, 0xd7, 0x6e, 0xaf, 0x9b, + 0x50, 0x9c, 0xed, 0xd4, 0xb9, 0xcf, 0x5a, 0x70, 0x3a, 0x8f, 0x04, 0x3a, 0x09, 0xe5, 0x1d, 0xd2, + 0xe5, 0xb6, 0x36, 0xa6, 0x3f, 0xd1, 0x2b, 0x50, 0xd9, 0x75, 0xfc, 0x0e, 0x11, 0x06, 0xe0, 0x95, + 0xe1, 0x5e, 0x44, 0xf5, 0x0c, 0x73, 0xaa, 0xdf, 0x56, 0x7a, 0xc9, 0xb2, 0x7f, 0xab, 0x0c, 0xe3, + 0xc6, 0x47, 0x3b, 0x06, 0xa3, 0x36, 0x4c, 0x19, 0xb5, 0x2b, 0x85, 0xcd, 0xb7, 0xbe, 0x56, 0xed, + 0xdd, 0x8c, 0x55, 0xbb, 0x5a, 0x1c, 0xcb, 0x7d, 0xcd, 0x5a, 0x94, 0x40, 0x2d, 0x6c, 0xd3, 0x4d, + 0x20, 0xb5, 0x8e, 0x46, 0x8a, 0xf8, 0x84, 0xab, 0x92, 0x5c, 0x7d, 0xf2, 0xfe, 0xde, 0x6c, 0x4d, + 0xfd, 0xc5, 0x9a, 0x91, 0xfd, 0xfb, 0x16, 0x9c, 0x36, 0xfa, 0xb8, 0x10, 0x06, 0x4d, 0xb6, 0x85, + 0x41, 0xe7, 0x61, 0x24, 0xe9, 0xb6, 0xe5, 0x46, 0x53, 0x8d, 0xd4, 0x7a, 0xb7, 0x4d, 0x30, 0x83, + 0x3c, 0xee, 0xfb, 0xaf, 0x1f, 0xb1, 0xe0, 0x89, 0x7c, 0x01, 0x83, 0x9e, 0x87, 0x51, 0xee, 0x65, + 0x10, 0x6f, 0xa7, 0x3f, 0x09, 0x6b, 0xc5, 0x02, 0x8a, 0x2e, 0x40, 0x4d, 0x69, 0x47, 0xf1, 0x8e, + 0xd3, 0x02, 0xb5, 0xa6, 0x55, 0xaa, 0xc6, 0xa1, 0x83, 0x46, 0xff, 0x08, 0xe3, 0x56, 0x0d, 0x1a, + 0xdb, 0x96, 0x33, 0x88, 0xfd, 0xbb, 0x16, 0x7c, 0xe3, 0x20, 0x62, 0xef, 0xe8, 0xfa, 0xd8, 0x80, + 0x33, 0x4d, 0xb2, 0xe9, 0x74, 0xfc, 0x24, 0xcd, 0x51, 0x74, 0xfa, 0x19, 0xf1, 0xf0, 0x99, 0xc5, + 0x3c, 0x24, 0x9c, 0xff, 0xac, 0xfd, 0x9f, 0x2c, 0xe6, 0x10, 0x90, 0xaf, 0x75, 0x0c, 0x9b, 0xb2, + 0x20, 0xbd, 0x29, 0x5b, 0x2a, 0x6c, 0x99, 0xf6, 0xd9, 0x95, 0xfd, 0x90, 0x05, 0xe7, 0x0c, 0xac, + 0x15, 0x27, 0x71, 0xb7, 0x2f, 0xdd, 0x6b, 0x47, 0x24, 0x8e, 0xe9, 0x94, 0x7a, 0xc6, 0x10, 0xc7, + 0xf5, 0x71, 0x41, 0xa1, 0x7c, 0x9d, 0x74, 0xb9, 0x6c, 0x7e, 0x01, 0xaa, 0x7c, 0xcd, 0x85, 0x91, + 0xf8, 0x48, 0xea, 0xdd, 0x56, 0x45, 0x3b, 0x56, 0x18, 0xc8, 0x86, 0x51, 0x26, 0x73, 0xa9, 0x0c, + 0xa2, 0x66, 0x02, 0xd0, 0xef, 0x7e, 0x8b, 0xb5, 0x60, 0x01, 0xb1, 0xe3, 0x54, 0x77, 0xd6, 0x22, + 0xc2, 0xe6, 0x43, 0xf3, 0xb2, 0x47, 0xfc, 0x66, 0x4c, 0x37, 0x8c, 0x4e, 0x10, 0x84, 0x89, 0xd8, + 0xfb, 0x19, 0x1b, 0xc6, 0x79, 0xdd, 0x8c, 0x4d, 0x1c, 0xca, 0xd4, 0x77, 0x36, 0x88, 0xcf, 0x47, + 0x54, 0x30, 0x5d, 0x66, 0x2d, 0x58, 0x40, 0xec, 0xfb, 0x25, 0xb6, 0x35, 0x55, 0x12, 0x8d, 0x1c, + 0x87, 0x5f, 0x23, 0x4a, 0xa9, 0x80, 0xb5, 0xe2, 0xe4, 0x31, 0xe9, 0xef, 0xdb, 0x78, 0x2d, 0xa3, + 0x05, 0x70, 0xa1, 0x5c, 0xf7, 0xf7, 0x6f, 0x7c, 0xa9, 0x0c, 0xb3, 0xe9, 0x07, 0x7a, 0x94, 0x08, + 0xdd, 0x4c, 0x1b, 0x8c, 0xb2, 0xde, 0x40, 0x03, 0x1f, 0x9b, 0x78, 0x7d, 0xe4, 0x70, 0xe9, 0x28, + 0xe5, 0xb0, 0xa9, 0x26, 0xca, 0x07, 0xa8, 0x89, 0x05, 0x35, 0xea, 0x23, 0x0c, 0xf3, 0xad, 0x3d, + 0x2e, 0xc4, 0xb3, 0x6b, 0x51, 0xb8, 0xc5, 0xd6, 0xdc, 0x2e, 0xa1, 0x9b, 0xa9, 0x1c, 0xb7, 0xe0, + 0x79, 0x18, 0x89, 0x13, 0xd2, 0x9e, 0xa9, 0xa4, 0x65, 0x70, 0x23, 0x21, 0x6d, 0xcc, 0x20, 0xe8, + 0x3b, 0xe0, 0x44, 0xe2, 0x44, 0x5b, 0x24, 0x89, 0xc8, 0xae, 0xc7, 0xdc, 0xca, 0x6c, 0x67, 0x5c, + 0xab, 0x9f, 0xa2, 0x26, 0xd9, 0x3a, 0x03, 0x61, 0x09, 0xc2, 0x59, 0x5c, 0xfb, 0xbf, 0x95, 0xe0, + 0xc9, 0xf4, 0xf7, 0xd1, 0x5a, 0xf3, 0x3b, 0x53, 0x5a, 0xf3, 0xad, 0xa6, 0xd6, 0x7c, 0xb0, 0x37, + 0xfb, 0x54, 0x9f, 0xc7, 0xbe, 0x6e, 0x94, 0x2a, 0xba, 0x92, 0xf9, 0x42, 0x17, 0x7a, 0xbe, 0xd0, + 0x33, 0x7d, 0xde, 0x31, 0x63, 0xed, 0x3c, 0x0f, 0xa3, 0x11, 0x71, 0xe2, 0x30, 0x10, 0xdf, 0x49, + 0x2d, 0x06, 0xcc, 0x5a, 0xb1, 0x80, 0xda, 0xbf, 0x53, 0xcb, 0x0e, 0xf6, 0x15, 0xee, 0x2a, 0x0f, + 0x23, 0xe4, 0xc1, 0x08, 0xdb, 0xff, 0x71, 0xb1, 0x73, 0x7d, 0xb8, 0x25, 0x4a, 0x55, 0x8c, 0x22, + 0x5d, 0xaf, 0xd2, 0xaf, 0x46, 0x9b, 0x30, 0x63, 0x81, 0xee, 0x41, 0xd5, 0x95, 0x3b, 0xad, 0x52, + 0x11, 0xde, 0x4e, 0xb1, 0xcf, 0xd2, 0x1c, 0x27, 0xa8, 0x2e, 0x50, 0xdb, 0x33, 0xc5, 0x0d, 0x11, + 0x28, 0x6f, 0x79, 0x89, 0xf8, 0xac, 0x43, 0x6e, 0xbc, 0xaf, 0x78, 0xc6, 0x2b, 0x8e, 0x51, 0x05, + 0x75, 0xc5, 0x4b, 0x30, 0xa5, 0x8f, 0x3e, 0x6d, 0xc1, 0x78, 0xec, 0xb6, 0xd6, 0xa2, 0x70, 0xd7, + 0x6b, 0x92, 0x48, 0x18, 0xa0, 0x43, 0x8a, 0xbd, 0xc6, 0xc2, 0x8a, 0x24, 0xa8, 0xf9, 0x72, 0x47, + 0x88, 0x86, 0x60, 0x93, 0x2f, 0xdd, 0x98, 0x3d, 0x29, 0xde, 0x7d, 0x91, 0xb8, 0x6c, 0xc5, 0xc9, + 0x0d, 0x35, 0x9b, 0x29, 0x43, 0x1b, 0xe4, 0x8b, 0x1d, 0x77, 0x87, 0xae, 0x37, 0xdd, 0xa1, 0xa7, + 0xee, 0xef, 0xcd, 0x3e, 0xb9, 0x90, 0xcf, 0x13, 0xf7, 0xeb, 0x0c, 0x1b, 0xb0, 0x76, 0xc7, 0xf7, + 0x31, 0x79, 0xb5, 0x43, 0x98, 0x6f, 0xad, 0x80, 0x01, 0x5b, 0xd3, 0x04, 0x33, 0x03, 0x66, 0x40, + 0xb0, 0xc9, 0x17, 0xbd, 0x0a, 0xa3, 0x2d, 0x27, 0x89, 0xbc, 0x7b, 0xc2, 0xa1, 0x36, 0xe4, 0x16, + 0x69, 0x85, 0xd1, 0xd2, 0xcc, 0x99, 0x15, 0xc0, 0x1b, 0xb1, 0x60, 0x84, 0x5a, 0x50, 0x69, 0x91, + 0x68, 0x8b, 0xcc, 0x54, 0x8b, 0x38, 0x69, 0x58, 0xa1, 0xa4, 0x34, 0xc3, 0x1a, 0xb5, 0xbc, 0x58, + 0x1b, 0xe6, 0x5c, 0xd0, 0x2b, 0x50, 0x8d, 0x89, 0x4f, 0x5c, 0x6a, 0x3b, 0xd5, 0x18, 0xc7, 0x77, + 0x0c, 0x68, 0x47, 0x52, 0xa3, 0xa5, 0x21, 0x1e, 0xe5, 0x0b, 0x4c, 0xfe, 0xc3, 0x8a, 0x24, 0x1d, + 0xc0, 0xb6, 0xdf, 0xd9, 0xf2, 0x82, 0x19, 0x28, 0x62, 0x00, 0xd7, 0x18, 0xad, 0xcc, 0x00, 0xf2, + 0x46, 0x2c, 0x18, 0xd9, 0xff, 0xd5, 0x02, 0x94, 0x16, 0x6a, 0xc7, 0x60, 0x30, 0xbf, 0x9a, 0x36, + 0x98, 0x97, 0x8b, 0xb4, 0x68, 0xfa, 0xd8, 0xcc, 0x3f, 0x5f, 0x83, 0x8c, 0x3a, 0xb8, 0x41, 0xe2, + 0x84, 0x34, 0xdf, 0x10, 0xe1, 0x6f, 0x88, 0xf0, 0x37, 0x44, 0xb8, 0x12, 0xe1, 0x1b, 0x19, 0x11, + 0xfe, 0x6e, 0x63, 0xd5, 0xeb, 0xd0, 0x87, 0x0f, 0xab, 0xd8, 0x08, 0xb3, 0x07, 0x06, 0x02, 0x95, + 0x04, 0xd7, 0x1a, 0xab, 0x37, 0x72, 0x65, 0xf6, 0x87, 0xd3, 0x32, 0x7b, 0x58, 0x16, 0x7f, 0x15, + 0xa4, 0xf4, 0xaf, 0x59, 0xf0, 0xe6, 0xb4, 0xf4, 0x92, 0x33, 0x67, 0x69, 0x2b, 0x08, 0x23, 0xb2, + 0xe8, 0x6d, 0x6e, 0x92, 0x88, 0x04, 0x2e, 0x89, 0x95, 0xe3, 0xc7, 0xea, 0xe7, 0xf8, 0x41, 0xef, + 0x84, 0x89, 0x3b, 0x71, 0x18, 0xac, 0x85, 0x5e, 0x20, 0x44, 0x10, 0xdd, 0x71, 0x9c, 0xbc, 0xbf, + 0x37, 0x3b, 0x41, 0x47, 0x54, 0xb6, 0xe3, 0x14, 0x16, 0x5a, 0x80, 0xe9, 0x3b, 0xaf, 0xae, 0x39, + 0x89, 0xe1, 0x6a, 0x90, 0x4e, 0x01, 0x76, 0xb2, 0x75, 0xed, 0x3d, 0x19, 0x20, 0xee, 0xc5, 0xb7, + 0xff, 0x6e, 0x09, 0xce, 0x66, 0x5e, 0x24, 0xf4, 0xfd, 0xb0, 0x93, 0xd0, 0x3d, 0x11, 0xfa, 0xb2, + 0x05, 0x27, 0x5b, 0x69, 0x6f, 0x46, 0x2c, 0x7c, 0xe1, 0xef, 0x2d, 0x4c, 0x47, 0x64, 0xdc, 0x25, + 0xf5, 0x19, 0x31, 0x42, 0x27, 0x33, 0x80, 0x18, 0xf7, 0xf4, 0x05, 0xbd, 0x02, 0xb5, 0x96, 0x73, + 0xef, 0x66, 0xbb, 0xe9, 0x24, 0x72, 0xaf, 0xda, 0xdf, 0xc5, 0xd0, 0x49, 0x3c, 0x7f, 0x8e, 0x07, + 0xd5, 0xcc, 0x2d, 0x05, 0xc9, 0x6a, 0xd4, 0x48, 0x22, 0x2f, 0xd8, 0xe2, 0x1e, 0xd0, 0x15, 0x49, + 0x06, 0x6b, 0x8a, 0xf6, 0x97, 0xac, 0xac, 0x92, 0x52, 0xa3, 0x13, 0x39, 0x09, 0xd9, 0xea, 0xa2, + 0x8f, 0x42, 0x85, 0xee, 0x1b, 0xe5, 0xa8, 0xdc, 0x2e, 0x52, 0x73, 0x1a, 0x5f, 0x42, 0x2b, 0x51, + 0xfa, 0x2f, 0xc6, 0x9c, 0xa9, 0xfd, 0xe5, 0x5a, 0xd6, 0x58, 0x60, 0x21, 0x01, 0x17, 0x01, 0xb6, + 0xc2, 0x75, 0xd2, 0x6a, 0xfb, 0x74, 0x58, 0x2c, 0x76, 0xfa, 0xa3, 0xfc, 0x28, 0x57, 0x14, 0x04, + 0x1b, 0x58, 0xe8, 0x07, 0x2c, 0x80, 0x2d, 0x39, 0xe7, 0xa5, 0x21, 0x70, 0xb3, 0xc8, 0xd7, 0xd1, + 0x2b, 0x4a, 0xf7, 0x45, 0x31, 0xc4, 0x06, 0x73, 0xf4, 0xbd, 0x16, 0x54, 0x13, 0xd9, 0x7d, 0xae, + 0x1a, 0xd7, 0x8b, 0xec, 0x89, 0x7c, 0x69, 0x6d, 0x13, 0xa9, 0x21, 0x51, 0x7c, 0xd1, 0xf7, 0x59, + 0x00, 0x71, 0x37, 0x70, 0xd7, 0x42, 0xdf, 0x73, 0xbb, 0x42, 0x63, 0xde, 0x2a, 0xd4, 0xd7, 0xa3, + 0xa8, 0xd7, 0xa7, 0xe8, 0x68, 0xe8, 0xff, 0xd8, 0xe0, 0x8c, 0x3e, 0x06, 0xd5, 0x58, 0x4c, 0x37, + 0xa1, 0x23, 0xd7, 0x8b, 0xf5, 0x38, 0x71, 0xda, 0x42, 0xbc, 0x8a, 0x7f, 0x58, 0xf1, 0x44, 0x3f, + 0x6a, 0xc1, 0x89, 0x76, 0xda, 0x87, 0x28, 0xd4, 0x61, 0x71, 0x32, 0x20, 0xe3, 0xa3, 0xe4, 0xde, + 0x96, 0x4c, 0x23, 0xce, 0xf6, 0x82, 0x4a, 0x40, 0x3d, 0x83, 0x57, 0xdb, 0xdc, 0x9f, 0x39, 0xa6, + 0x25, 0xe0, 0x95, 0x2c, 0x10, 0xf7, 0xe2, 0xa3, 0x35, 0x38, 0x4d, 0x7b, 0xd7, 0xe5, 0xe6, 0xa7, + 0x54, 0x2f, 0x31, 0x53, 0x86, 0xd5, 0xfa, 0xd3, 0x62, 0x86, 0xb0, 0x83, 0x90, 0x2c, 0x0e, 0xce, + 0x7d, 0x12, 0xfd, 0x96, 0x05, 0x4f, 0x7b, 0x4c, 0x0d, 0x98, 0xde, 0x7c, 0xad, 0x11, 0xc4, 0x91, + 0x3d, 0x29, 0x54, 0x56, 0xf4, 0x53, 0x3f, 0xf5, 0x6f, 0x14, 0x6f, 0xf0, 0xf4, 0xd2, 0x3e, 0x5d, + 0xc2, 0xfb, 0x76, 0x18, 0x7d, 0x2b, 0x4c, 0xca, 0x75, 0xb1, 0x46, 0x45, 0x30, 0x53, 0xb4, 0xb5, + 0xfa, 0xf4, 0xfd, 0xbd, 0xd9, 0xc9, 0x75, 0x13, 0x80, 0xd3, 0x78, 0xf6, 0x5f, 0x8c, 0xa4, 0x8e, + 0x90, 0x94, 0x83, 0x93, 0x89, 0x1b, 0x57, 0xfa, 0x7f, 0xa4, 0xf4, 0x2c, 0x54, 0xdc, 0x28, 0xef, + 0x92, 0x16, 0x37, 0xaa, 0x29, 0xc6, 0x06, 0x73, 0x6a, 0x94, 0x4e, 0x3b, 0x59, 0x37, 0xaa, 0x90, + 0x80, 0xaf, 0x14, 0xd9, 0xa5, 0xde, 0x03, 0xbf, 0xb3, 0xa2, 0x6b, 0xd3, 0x3d, 0x20, 0xdc, 0xdb, + 0x25, 0xf4, 0xdd, 0x50, 0x8b, 0x54, 0x8c, 0x4c, 0xb9, 0x88, 0xad, 0x9a, 0x9c, 0x36, 0xa2, 0x3b, + 0xea, 0x74, 0x48, 0x47, 0xc3, 0x68, 0x8e, 0xe8, 0xdd, 0x30, 0xa5, 0xfe, 0x2c, 0xb0, 0x63, 0x21, + 0x2a, 0x14, 0xcb, 0xf5, 0x27, 0xc4, 0x53, 0x53, 0x38, 0x05, 0xc5, 0x19, 0x6c, 0x14, 0xc1, 0x28, + 0x8f, 0xdb, 0x14, 0x62, 0x6c, 0xc8, 0xed, 0x8e, 0x19, 0xfc, 0xa9, 0x7d, 0x84, 0xbc, 0x15, 0x0b, + 0x4e, 0xf6, 0x67, 0x4a, 0xa9, 0x93, 0x3e, 0x43, 0xde, 0x0d, 0x70, 0x8a, 0xf9, 0x79, 0x0b, 0xc6, + 0xa3, 0xd0, 0xf7, 0xbd, 0x60, 0x8b, 0xca, 0x66, 0x61, 0x60, 0x7c, 0xe0, 0x48, 0x74, 0xbc, 0x10, + 0xc2, 0x6c, 0x37, 0x80, 0x35, 0x4f, 0x6c, 0x76, 0x00, 0xbd, 0x0c, 0x93, 0x4d, 0xe2, 0x13, 0xfa, + 0xec, 0x6a, 0x44, 0xf7, 0x71, 0xdc, 0x6b, 0xae, 0xe2, 0x64, 0x16, 0x4d, 0x20, 0x4e, 0xe3, 0xda, + 0x7f, 0x6c, 0xc1, 0x4c, 0x3f, 0x05, 0x84, 0x08, 0x3c, 0x25, 0xa5, 0xab, 0xfa, 0x8a, 0xab, 0x81, + 0xa4, 0x27, 0x6c, 0x88, 0xe7, 0x04, 0x9f, 0xa7, 0xd6, 0xfa, 0xa3, 0xe2, 0xfd, 0xe8, 0xa0, 0xf7, + 0xc3, 0x49, 0x63, 0x50, 0x62, 0x35, 0xaa, 0xb5, 0xfa, 0x1c, 0xb5, 0xf8, 0xe6, 0x33, 0xb0, 0x07, + 0x7b, 0xb3, 0x4f, 0x64, 0xdb, 0x84, 0x86, 0xec, 0xa1, 0x63, 0xff, 0x64, 0xcf, 0xa7, 0x56, 0xc6, + 0xcd, 0x17, 0xad, 0x1e, 0xf7, 0xc9, 0x7b, 0x8f, 0xc2, 0xa0, 0x60, 0x8e, 0x16, 0x15, 0x94, 0xd2, + 0x1f, 0xe7, 0x11, 0x06, 0x31, 0xd8, 0xbf, 0x39, 0x02, 0xfb, 0xf4, 0x6c, 0x80, 0xdd, 0xca, 0xa1, + 0x4f, 0x95, 0x3f, 0x67, 0xa9, 0xe3, 0x43, 0x2e, 0xb4, 0x9a, 0x47, 0x35, 0xf6, 0x7c, 0xc3, 0x18, + 0xf3, 0x40, 0x1a, 0x25, 0x12, 0xd2, 0x07, 0x95, 0xe8, 0x2b, 0x56, 0xfa, 0x00, 0x94, 0x07, 0x8f, + 0x7a, 0x47, 0xd6, 0x27, 0xe3, 0x54, 0x95, 0x77, 0x4c, 0x9f, 0xc5, 0xf5, 0x3b, 0x6f, 0x9d, 0x03, + 0xd8, 0xf4, 0x02, 0xc7, 0xf7, 0x5e, 0xa3, 0xdb, 0xc1, 0x0a, 0xb3, 0x68, 0x98, 0x89, 0x78, 0x59, + 0xb5, 0x62, 0x03, 0xe3, 0xdc, 0x5f, 0x87, 0x71, 0xe3, 0xcd, 0x73, 0xe2, 0x7f, 0x4e, 0x9b, 0xf1, + 0x3f, 0x35, 0x23, 0x6c, 0xe7, 0xdc, 0xbb, 0xe1, 0x64, 0xb6, 0x83, 0x87, 0x79, 0xde, 0xfe, 0xdf, + 0x63, 0xd9, 0x13, 0xc9, 0x75, 0x12, 0xb5, 0x68, 0xd7, 0xde, 0xf0, 0xe4, 0xbd, 0xe1, 0xc9, 0x7b, + 0xc3, 0x93, 0x67, 0x1e, 0xc6, 0x08, 0x2f, 0xd5, 0xd8, 0x31, 0x79, 0xa9, 0x52, 0x7e, 0xb7, 0x6a, + 0xe1, 0x7e, 0x37, 0xfb, 0xd3, 0x3d, 0x47, 0x15, 0xeb, 0x11, 0x21, 0x28, 0x84, 0x4a, 0x10, 0x36, + 0x89, 0x34, 0xea, 0xaf, 0x15, 0x63, 0xa1, 0xde, 0x08, 0x9b, 0x46, 0x58, 0x3e, 0xfd, 0x17, 0x63, + 0xce, 0xc7, 0xfe, 0xd4, 0x28, 0xa4, 0xec, 0x67, 0xfe, 0xdd, 0xbf, 0x19, 0xc6, 0x22, 0xd2, 0x0e, + 0x6f, 0xe2, 0x65, 0xa1, 0xcb, 0x74, 0x76, 0x13, 0x6f, 0xc6, 0x12, 0x4e, 0x75, 0x5e, 0xdb, 0x49, + 0xb6, 0x85, 0x32, 0x53, 0x3a, 0x6f, 0xcd, 0x49, 0xb6, 0x31, 0x83, 0x50, 0xd3, 0x37, 0x49, 0x9d, + 0xfd, 0x8b, 0x33, 0x6e, 0x65, 0xfa, 0xa6, 0x23, 0x03, 0x70, 0x06, 0x1b, 0xbd, 0x0a, 0x23, 0xdb, + 0xc4, 0x6f, 0x89, 0x4f, 0xdf, 0x28, 0x4e, 0xd7, 0xb0, 0x77, 0xbd, 0x4a, 0xfc, 0x16, 0x97, 0x84, + 0xf4, 0x17, 0x66, 0xac, 0xe8, 0xbc, 0xaf, 0xed, 0x74, 0xe2, 0x24, 0x6c, 0x79, 0xaf, 0x49, 0xd7, + 0xee, 0x7b, 0x0b, 0x66, 0x7c, 0x5d, 0xd2, 0xe7, 0x3e, 0x34, 0xf5, 0x17, 0x6b, 0xce, 0xac, 0x1f, + 0x4d, 0x2f, 0x62, 0x53, 0xa6, 0x2b, 0x3c, 0xb4, 0x45, 0xf7, 0x63, 0x51, 0xd2, 0xe7, 0xfd, 0x50, + 0x7f, 0xb1, 0xe6, 0x8c, 0xba, 0x6a, 0xfd, 0x8d, 0xb3, 0x3e, 0xdc, 0x2c, 0xb8, 0x0f, 0x7c, 0xed, + 0xe5, 0xae, 0xc3, 0xe7, 0xa0, 0xe2, 0x6e, 0x3b, 0x51, 0x32, 0x33, 0xc1, 0x26, 0x8d, 0x9a, 0xc5, + 0x0b, 0xb4, 0x11, 0x73, 0x18, 0x7a, 0x06, 0xca, 0x11, 0xd9, 0x64, 0xb1, 0xda, 0x46, 0x94, 0x18, + 0x26, 0x9b, 0x98, 0xb6, 0x2b, 0xbb, 0x6c, 0xaa, 0x6f, 0xf8, 0xe0, 0x8f, 0x97, 0xd2, 0x86, 0x5d, + 0x7a, 0x64, 0xf8, 0x7a, 0x70, 0x3b, 0x51, 0x2c, 0x3d, 0x82, 0xc6, 0x7a, 0x60, 0xcd, 0x58, 0xc2, + 0xd1, 0x27, 0x2c, 0x18, 0xbb, 0x13, 0x87, 0x41, 0x40, 0x12, 0xa1, 0x44, 0x6f, 0x15, 0x3c, 0x58, + 0xd7, 0x38, 0x75, 0xdd, 0x07, 0xd1, 0x80, 0x25, 0x5f, 0xda, 0x5d, 0x72, 0xcf, 0xf5, 0x3b, 0xcd, + 0x9e, 0xd0, 0xa0, 0x4b, 0xbc, 0x19, 0x4b, 0x38, 0x45, 0xf5, 0x02, 0x8e, 0x3a, 0x92, 0x46, 0x5d, + 0x0a, 0x04, 0xaa, 0x80, 0xdb, 0x3f, 0x5b, 0x85, 0x33, 0xb9, 0xcb, 0x87, 0x9a, 0x5c, 0xcc, 0xa8, + 0xb9, 0xec, 0xf9, 0x44, 0x06, 0xc5, 0x31, 0x93, 0xeb, 0x96, 0x6a, 0xc5, 0x06, 0x06, 0xfa, 0x1e, + 0x80, 0xb6, 0x13, 0x39, 0x2d, 0xa2, 0x3c, 0xf6, 0x43, 0x5b, 0x36, 0xb4, 0x1f, 0x6b, 0x92, 0xa6, + 0xf6, 0x5a, 0xa8, 0xa6, 0x18, 0x1b, 0x2c, 0xd1, 0x8b, 0x30, 0x1e, 0x11, 0x9f, 0x38, 0x31, 0x4b, + 0x06, 0xc8, 0xe6, 0x4c, 0x61, 0x0d, 0xc2, 0x26, 0x1e, 0x7a, 0x5e, 0xc5, 0x0f, 0x8e, 0xa4, 0x83, + 0x6b, 0xd2, 0x31, 0x84, 0xe8, 0x0b, 0x16, 0x4c, 0x6d, 0x7a, 0x3e, 0xd1, 0xdc, 0x45, 0x86, 0xd3, + 0xea, 0xf0, 0x2f, 0x79, 0xd9, 0xa4, 0xab, 0x65, 0x68, 0xaa, 0x39, 0xc6, 0x19, 0xf6, 0xf4, 0x33, + 0xef, 0x92, 0x88, 0x09, 0xdf, 0xd1, 0xf4, 0x67, 0xbe, 0xc5, 0x9b, 0xb1, 0x84, 0xa3, 0x79, 0x38, + 0xd1, 0x76, 0xe2, 0x78, 0x21, 0x22, 0x4d, 0x12, 0x24, 0x9e, 0xe3, 0xf3, 0x94, 0xa2, 0xaa, 0x0e, + 0xae, 0x5f, 0x4b, 0x83, 0x71, 0x16, 0x1f, 0xbd, 0x0f, 0x9e, 0xe4, 0x2e, 0xb1, 0x15, 0x2f, 0x8e, + 0xbd, 0x60, 0x4b, 0x4f, 0x03, 0xe1, 0x19, 0x9c, 0x15, 0xa4, 0x9e, 0x5c, 0xca, 0x47, 0xc3, 0xfd, + 0x9e, 0x47, 0x2f, 0x40, 0x35, 0xde, 0xf1, 0xda, 0x0b, 0x51, 0x33, 0x66, 0xc7, 0x61, 0x55, 0xed, + 0x87, 0x6e, 0x88, 0x76, 0xac, 0x30, 0x90, 0x0b, 0x13, 0xfc, 0x93, 0xf0, 0x00, 0x48, 0x21, 0x41, + 0xdf, 0xd6, 0x57, 0x91, 0x8b, 0x94, 0xe3, 0x39, 0xec, 0xdc, 0xbd, 0x24, 0x0f, 0xe7, 0xf8, 0x59, + 0xd2, 0x2d, 0x83, 0x0c, 0x4e, 0x11, 0x4d, 0xef, 0xe9, 0xc6, 0x07, 0xd8, 0xd3, 0xbd, 0x08, 0xe3, + 0x3b, 0x9d, 0x0d, 0x22, 0x46, 0x5e, 0x08, 0x36, 0x35, 0xfb, 0xae, 0x6b, 0x10, 0x36, 0xf1, 0x58, + 0xec, 0x69, 0xdb, 0x13, 0xff, 0xe2, 0x99, 0x49, 0x23, 0xf6, 0x74, 0x6d, 0x49, 0x36, 0x63, 0x13, + 0x87, 0x76, 0x8d, 0x8e, 0xc5, 0x3a, 0x89, 0x59, 0x6a, 0x09, 0x1d, 0x2e, 0xd5, 0xb5, 0x86, 0x04, + 0x60, 0x8d, 0x83, 0xd6, 0xe0, 0x34, 0xfd, 0xd3, 0x60, 0x29, 0xd7, 0xb7, 0x1c, 0xdf, 0x6b, 0xf2, + 0x40, 0xc8, 0x13, 0x69, 0x87, 0x6e, 0x23, 0x07, 0x07, 0xe7, 0x3e, 0x69, 0xff, 0x58, 0x29, 0xed, + 0x39, 0x31, 0x45, 0x18, 0x8a, 0xa9, 0xa0, 0x4a, 0x6e, 0x39, 0x91, 0x34, 0x78, 0x86, 0xcc, 0x0b, + 0x13, 0x74, 0x6f, 0x39, 0x91, 0x29, 0xf2, 0x18, 0x03, 0x2c, 0x39, 0xa1, 0x3b, 0x30, 0x92, 0xf8, + 0x4e, 0x41, 0x59, 0xa7, 0x06, 0x47, 0xed, 0x05, 0x5b, 0x9e, 0x8f, 0x31, 0xe3, 0x81, 0x9e, 0xa6, + 0xbb, 0xb7, 0x0d, 0x79, 0xb4, 0x28, 0x36, 0x5c, 0x1b, 0x31, 0x66, 0xad, 0xf6, 0xdf, 0x9a, 0xcc, + 0xd1, 0x3a, 0xca, 0x10, 0x40, 0x17, 0x01, 0xe8, 0xa4, 0x59, 0x8b, 0xc8, 0xa6, 0x77, 0x4f, 0x18, + 0x62, 0x4a, 0xb2, 0xdd, 0x50, 0x10, 0x6c, 0x60, 0xc9, 0x67, 0x1a, 0x9d, 0x4d, 0xfa, 0x4c, 0xa9, + 0xf7, 0x19, 0x0e, 0xc1, 0x06, 0x16, 0x7a, 0x27, 0x8c, 0x7a, 0x2d, 0x67, 0x4b, 0x85, 0x45, 0x3f, + 0x4d, 0x45, 0xda, 0x12, 0x6b, 0x79, 0xb0, 0x37, 0x3b, 0xa5, 0x3a, 0xc4, 0x9a, 0xb0, 0xc0, 0x45, + 0x3f, 0x69, 0xc1, 0x84, 0x1b, 0xb6, 0x5a, 0x61, 0xc0, 0xb7, 0xcf, 0xc2, 0x17, 0x70, 0xe7, 0xa8, + 0xcc, 0xa4, 0xb9, 0x05, 0x83, 0x19, 0x77, 0x06, 0xa8, 0xf4, 0x58, 0x13, 0x84, 0x53, 0xbd, 0x32, + 0x25, 0x5f, 0xe5, 0x00, 0xc9, 0xf7, 0x73, 0x16, 0x4c, 0xf3, 0x67, 0x8d, 0x5d, 0xbd, 0x48, 0xee, + 0x0c, 0x8f, 0xf8, 0xb5, 0x7a, 0x1c, 0x1d, 0xca, 0xbb, 0xdd, 0x03, 0xc7, 0xbd, 0x9d, 0x44, 0x57, + 0x60, 0x7a, 0x33, 0x8c, 0x5c, 0x62, 0x0e, 0x84, 0x10, 0xdb, 0x8a, 0xd0, 0xe5, 0x2c, 0x02, 0xee, + 0x7d, 0x06, 0xdd, 0x82, 0x27, 0x8c, 0x46, 0x73, 0x1c, 0xb8, 0xe4, 0x7e, 0x56, 0x50, 0x7b, 0xe2, + 0x72, 0x2e, 0x16, 0xee, 0xf3, 0x74, 0x5a, 0x48, 0xd6, 0x06, 0x10, 0x92, 0x1f, 0x86, 0xb3, 0x6e, + 0xef, 0xc8, 0xec, 0xc6, 0x9d, 0x8d, 0x98, 0xcb, 0xf1, 0x6a, 0xfd, 0x1b, 0x04, 0x81, 0xb3, 0x0b, + 0xfd, 0x10, 0x71, 0x7f, 0x1a, 0xe8, 0xa3, 0x50, 0x8d, 0x08, 0xfb, 0x2a, 0xb1, 0xc8, 0x74, 0x1c, + 0xd2, 0xdb, 0xa1, 0x2d, 0x78, 0x4e, 0x56, 0x6b, 0x26, 0xd1, 0x10, 0x63, 0xc5, 0x11, 0xdd, 0x85, + 0xb1, 0xb6, 0x93, 0xb8, 0xdb, 0x22, 0x65, 0x71, 0xe8, 0xc3, 0x08, 0xc5, 0x9c, 0x9d, 0x1d, 0x19, + 0x25, 0x26, 0x38, 0x13, 0x2c, 0xb9, 0x51, 0x5b, 0xcd, 0x0d, 0x5b, 0xed, 0x30, 0x20, 0x41, 0x22, + 0x95, 0xc8, 0x14, 0x3f, 0xe0, 0x91, 0xad, 0xd8, 0xc0, 0xe8, 0xd1, 0xe5, 0x1a, 0x6d, 0x66, 0x7a, + 0x1f, 0x5d, 0x6e, 0x50, 0xeb, 0xf7, 0x3c, 0x55, 0x36, 0xcc, 0xad, 0x78, 0xdb, 0x4b, 0xb6, 0xc3, + 0x4e, 0x22, 0x77, 0xc9, 0x42, 0x51, 0x29, 0x65, 0xb3, 0x9c, 0x83, 0x83, 0x73, 0x9f, 0xcc, 0x6a, + 0xd6, 0x13, 0x0f, 0xa7, 0x59, 0x4f, 0x0e, 0xa0, 0x59, 0x1b, 0x70, 0x86, 0xf5, 0x40, 0x58, 0xc9, + 0xd2, 0x69, 0x19, 0xcf, 0x20, 0xd6, 0x79, 0x95, 0xed, 0xb3, 0x9c, 0x87, 0x84, 0xf3, 0x9f, 0x3d, + 0xf7, 0x9d, 0x30, 0xdd, 0x23, 0xe4, 0x0e, 0xe5, 0x90, 0x5c, 0x84, 0x27, 0xf2, 0xc5, 0xc9, 0xa1, + 0xdc, 0x92, 0x3f, 0x9b, 0x09, 0xc4, 0x37, 0xb6, 0x68, 0x03, 0xb8, 0xb8, 0x1d, 0x28, 0x93, 0x60, + 0x57, 0x68, 0xd7, 0xcb, 0xc3, 0xcd, 0xea, 0x4b, 0xc1, 0x2e, 0x97, 0x86, 0xcc, 0x8f, 0x77, 0x29, + 0xd8, 0xc5, 0x94, 0x36, 0xfa, 0x61, 0x2b, 0xb5, 0x81, 0xe0, 0x8e, 0xf1, 0x0f, 0x1d, 0xc9, 0x9e, + 0x74, 0xe0, 0x3d, 0x85, 0xfd, 0x6f, 0x4a, 0x70, 0xfe, 0x20, 0x22, 0x03, 0x0c, 0xdf, 0x73, 0x30, + 0x1a, 0xb3, 0xd0, 0x1a, 0xa1, 0xae, 0xc6, 0xe9, 0x2a, 0xe6, 0xc1, 0x36, 0x1f, 0xc6, 0x02, 0x84, + 0x7c, 0x28, 0xb7, 0x9c, 0xb6, 0xf0, 0x97, 0x2e, 0x0d, 0x9b, 0xcd, 0x48, 0xff, 0x3b, 0xfe, 0x8a, + 0xd3, 0xe6, 0x73, 0xde, 0x68, 0xc0, 0x94, 0x0d, 0x4a, 0xa0, 0xe2, 0x44, 0x91, 0x23, 0xe3, 0x38, + 0xae, 0x17, 0xc3, 0x6f, 0x9e, 0x92, 0xe4, 0xc7, 0xe0, 0xa9, 0x26, 0xcc, 0x99, 0xd9, 0x3f, 0x5a, + 0x4d, 0xa5, 0xbe, 0xb1, 0xe0, 0x9c, 0x18, 0x46, 0x85, 0x9b, 0xd4, 0x2a, 0x3a, 0x89, 0x94, 0xe7, + 0x96, 0x33, 0x0f, 0x84, 0xa8, 0xfd, 0x21, 0x58, 0xa1, 0xcf, 0x5a, 0xac, 0xc2, 0x86, 0xcc, 0x27, + 0x14, 0xbb, 0xfa, 0xa3, 0x29, 0xf8, 0x61, 0xd6, 0xed, 0x90, 0x8d, 0xd8, 0xe4, 0x2e, 0xaa, 0x09, + 0xb1, 0xdd, 0x4c, 0x6f, 0x35, 0x21, 0xb6, 0x3b, 0x91, 0x70, 0x74, 0x2f, 0x27, 0x08, 0xa7, 0x80, + 0xc2, 0x0b, 0x03, 0x84, 0xdd, 0x7c, 0xc5, 0x82, 0x69, 0x2f, 0x1b, 0x4d, 0x21, 0xf6, 0xc0, 0xb7, + 0x8b, 0xf1, 0x69, 0xf6, 0x06, 0x6b, 0x28, 0x43, 0xa7, 0x07, 0x84, 0x7b, 0x3b, 0x83, 0x9a, 0x30, + 0xe2, 0x05, 0x9b, 0xa1, 0x30, 0xef, 0xea, 0xc3, 0x75, 0x6a, 0x29, 0xd8, 0x0c, 0xf5, 0x6a, 0xa6, + 0xff, 0x30, 0xa3, 0x8e, 0x96, 0xe1, 0xb4, 0x4c, 0x70, 0xba, 0xea, 0xc5, 0x49, 0x18, 0x75, 0x97, + 0xbd, 0x96, 0x97, 0x30, 0xd3, 0xac, 0x5c, 0x9f, 0xa1, 0xea, 0x0d, 0xe7, 0xc0, 0x71, 0xee, 0x53, + 0xe8, 0x35, 0x18, 0x93, 0x11, 0x0c, 0xd5, 0x22, 0xfc, 0x09, 0xbd, 0xf3, 0x5f, 0x4d, 0xa6, 0x86, + 0x08, 0x61, 0x90, 0x0c, 0xd1, 0x67, 0x2c, 0x98, 0xe2, 0xbf, 0xaf, 0x76, 0x9b, 0x3c, 0xe1, 0xb2, + 0x56, 0x44, 0x9a, 0x42, 0x23, 0x45, 0xb3, 0x8e, 0xee, 0xef, 0xcd, 0x4e, 0xa5, 0xdb, 0x70, 0x86, + 0xaf, 0xfd, 0x8f, 0x27, 0xa0, 0x37, 0xe6, 0x23, 0x1d, 0xe0, 0x61, 0x1d, 0x7b, 0x80, 0xc7, 0x1d, + 0x18, 0x89, 0x75, 0x9c, 0x43, 0x01, 0xcb, 0x4c, 0x70, 0xd5, 0xc7, 0xd0, 0xdd, 0xc0, 0xc5, 0x8c, + 0x07, 0xea, 0xa8, 0x60, 0x90, 0x72, 0x41, 0x27, 0xdf, 0x83, 0xc4, 0x83, 0xa0, 0x7b, 0x30, 0xb6, + 0xcd, 0xa7, 0xa3, 0xd8, 0xeb, 0xad, 0x0c, 0x3b, 0xbe, 0xa9, 0x39, 0xae, 0x27, 0x9f, 0x68, 0xc0, + 0x92, 0x1d, 0x8b, 0x27, 0x34, 0x22, 0x9e, 0xb8, 0x20, 0x29, 0x2e, 0x77, 0x74, 0xf0, 0x70, 0xa7, + 0x8f, 0xc0, 0x44, 0x44, 0xdc, 0x30, 0x70, 0x3d, 0x9f, 0x34, 0xe7, 0xe5, 0x81, 0xd8, 0x61, 0xb2, + 0x02, 0x99, 0x37, 0x09, 0x1b, 0x34, 0x70, 0x8a, 0x22, 0x5b, 0x67, 0xaa, 0x8c, 0x00, 0xfd, 0x20, + 0x44, 0x1c, 0x7c, 0x2c, 0x17, 0x54, 0xb4, 0x80, 0xd1, 0xe4, 0xeb, 0x2c, 0xdd, 0x86, 0x33, 0x7c, + 0xd1, 0xfb, 0x01, 0xc2, 0x0d, 0x1e, 0x34, 0x38, 0x9f, 0x88, 0x53, 0x90, 0xc3, 0xbc, 0xea, 0x14, + 0x4f, 0x3d, 0x96, 0x14, 0xb0, 0x41, 0x0d, 0x5d, 0x07, 0xe0, 0x2b, 0x67, 0xbd, 0xdb, 0x96, 0x1b, + 0x42, 0x99, 0xd6, 0x09, 0x0d, 0x05, 0x79, 0xb0, 0x37, 0xdb, 0xeb, 0x73, 0x66, 0x51, 0x46, 0xc6, + 0xe3, 0xe8, 0xbb, 0x60, 0x2c, 0xee, 0xb4, 0x5a, 0x8e, 0x3a, 0x23, 0x29, 0x30, 0x99, 0x99, 0xd3, + 0x35, 0x04, 0x23, 0x6f, 0xc0, 0x92, 0x23, 0xba, 0x43, 0x45, 0xbc, 0x90, 0x50, 0x7c, 0x15, 0x71, + 0x0b, 0x85, 0x7b, 0x02, 0xdf, 0x25, 0x77, 0x31, 0x38, 0x07, 0xe7, 0xc1, 0xde, 0xec, 0x13, 0xe9, + 0xf6, 0xe5, 0x50, 0xa4, 0x17, 0xe7, 0xd2, 0x44, 0xd7, 0x64, 0xbd, 0x32, 0xfa, 0xda, 0xb2, 0xd8, + 0xcd, 0x5b, 0x74, 0xbd, 0x32, 0xd6, 0xdc, 0x7f, 0xcc, 0xcc, 0x87, 0xd1, 0x0a, 0x9c, 0x72, 0xc3, + 0x20, 0x89, 0x42, 0xdf, 0xe7, 0x35, 0x0d, 0xf9, 0xde, 0x9c, 0x9f, 0xa1, 0x3c, 0x25, 0xba, 0x7d, + 0x6a, 0xa1, 0x17, 0x05, 0xe7, 0x3d, 0x47, 0x6d, 0xf2, 0xac, 0x7e, 0x98, 0x2a, 0xe4, 0x78, 0x3d, + 0x45, 0x53, 0x48, 0x28, 0xe5, 0xf6, 0x3e, 0x40, 0x53, 0x04, 0xe9, 0x43, 0x56, 0xf1, 0xc5, 0xde, + 0x09, 0x13, 0xe4, 0x5e, 0x42, 0xa2, 0xc0, 0xf1, 0x6f, 0xe2, 0x65, 0x79, 0x60, 0xc1, 0x16, 0xe6, + 0x25, 0xa3, 0x1d, 0xa7, 0xb0, 0x90, 0xad, 0xbc, 0x64, 0x46, 0x1e, 0x3f, 0xf7, 0x92, 0x49, 0x9f, + 0x98, 0xfd, 0x33, 0xe5, 0x94, 0xcd, 0xfa, 0x48, 0x8e, 0x74, 0x59, 0x75, 0x29, 0x59, 0x86, 0x8b, + 0x01, 0xc4, 0x5e, 0xac, 0x48, 0xce, 0x2a, 0x6a, 0x6e, 0xd5, 0x64, 0x84, 0xd3, 0x7c, 0xd1, 0x0e, + 0x54, 0xb6, 0xc3, 0x38, 0x91, 0x3b, 0xb4, 0x21, 0x37, 0x83, 0x57, 0xc3, 0x38, 0x61, 0x86, 0x96, + 0x7a, 0x6d, 0xda, 0x12, 0x63, 0xce, 0x83, 0xee, 0xfd, 0xe3, 0x6d, 0x27, 0x6a, 0xa6, 0xc2, 0x2b, + 0x95, 0x3d, 0xdd, 0xd0, 0x20, 0x6c, 0xe2, 0xd9, 0x7f, 0x62, 0xa5, 0x4e, 0xb5, 0x6e, 0xb3, 0x2c, + 0x89, 0x5d, 0x12, 0x50, 0x11, 0x65, 0xc6, 0x38, 0x7e, 0x6b, 0x26, 0xe7, 0xfc, 0xcd, 0xfd, 0xca, + 0x8f, 0xde, 0xa5, 0x14, 0xe6, 0x18, 0x09, 0x23, 0x1c, 0xf2, 0xe3, 0x56, 0xba, 0xb2, 0x40, 0xa9, + 0x88, 0xad, 0x9b, 0x59, 0x5d, 0xe3, 0xc0, 0x22, 0x05, 0xf6, 0x0f, 0x5b, 0x30, 0x56, 0x77, 0xdc, + 0x9d, 0x70, 0x73, 0x13, 0xbd, 0x00, 0xd5, 0x66, 0x27, 0x32, 0x8b, 0x1c, 0x28, 0x67, 0xd5, 0xa2, + 0x68, 0xc7, 0x0a, 0x83, 0x4e, 0xfd, 0x4d, 0xc7, 0x95, 0x35, 0x36, 0xca, 0x7c, 0xea, 0x5f, 0x66, + 0x2d, 0x58, 0x40, 0xe8, 0xf0, 0xb7, 0x9c, 0x7b, 0xf2, 0xe1, 0xec, 0x91, 0xda, 0x8a, 0x06, 0x61, + 0x13, 0xcf, 0xfe, 0x55, 0x0b, 0x66, 0xea, 0x4e, 0xec, 0xb9, 0xf3, 0x9d, 0x64, 0xbb, 0xee, 0x25, + 0x1b, 0x1d, 0x77, 0x87, 0x24, 0xbc, 0x16, 0x0b, 0xed, 0x65, 0x27, 0xa6, 0x2b, 0x50, 0xed, 0x98, + 0x55, 0x2f, 0x6f, 0x8a, 0x76, 0xac, 0x30, 0xd0, 0x6b, 0x30, 0xde, 0x76, 0xe2, 0xf8, 0x6e, 0x18, + 0x35, 0x31, 0xd9, 0x2c, 0xa6, 0x5a, 0x53, 0x83, 0xb8, 0x11, 0x49, 0x30, 0xd9, 0x14, 0x01, 0x2a, + 0x9a, 0x3e, 0x36, 0x99, 0xd9, 0x3f, 0x60, 0xc1, 0xe9, 0x3a, 0x71, 0x22, 0x12, 0xb1, 0xe2, 0x4e, + 0xea, 0x45, 0xd0, 0xab, 0x50, 0x4d, 0x68, 0x0b, 0xed, 0x91, 0x55, 0x6c, 0x8f, 0x58, 0x68, 0xc9, + 0xba, 0x20, 0x8e, 0x15, 0x1b, 0xfb, 0xf3, 0x16, 0x9c, 0xcd, 0xeb, 0xcb, 0x82, 0x1f, 0x76, 0x9a, + 0x8f, 0xa2, 0x43, 0x7f, 0xc7, 0x82, 0x09, 0x76, 0x5c, 0xbf, 0x48, 0x12, 0xc7, 0xf3, 0x7b, 0x4a, + 0x56, 0x5a, 0x03, 0x96, 0xac, 0x3c, 0x0f, 0x23, 0xdb, 0x61, 0x8b, 0x64, 0x43, 0x4d, 0xae, 0x86, + 0x2d, 0x82, 0x19, 0x04, 0xbd, 0x9d, 0x4e, 0x42, 0x2f, 0x48, 0x1c, 0xba, 0x1c, 0xe5, 0x71, 0xc6, + 0x09, 0x3e, 0x01, 0x55, 0x33, 0x36, 0x71, 0xec, 0x7f, 0x55, 0x83, 0x31, 0x11, 0x17, 0x35, 0x70, + 0x6d, 0x20, 0xe9, 0xc5, 0x29, 0xf5, 0xf5, 0xe2, 0xc4, 0x30, 0xea, 0xb2, 0xfa, 0xc2, 0xc2, 0x42, + 0xbf, 0x5e, 0x48, 0x20, 0x1d, 0x2f, 0x59, 0xac, 0xbb, 0xc5, 0xff, 0x63, 0xc1, 0x0a, 0xbd, 0x6e, + 0xc1, 0x09, 0x37, 0x0c, 0x02, 0xe2, 0x6a, 0xdb, 0x71, 0xa4, 0x88, 0x0d, 0xc2, 0x42, 0x9a, 0xa8, + 0x3e, 0x09, 0xce, 0x00, 0x70, 0x96, 0x3d, 0x7a, 0x19, 0x26, 0xf9, 0x98, 0xdd, 0x4a, 0x9d, 0xc1, + 0xe8, 0xe2, 0x84, 0x26, 0x10, 0xa7, 0x71, 0xd1, 0x1c, 0x3f, 0xcb, 0x12, 0x95, 0xfd, 0x46, 0xb5, + 0xab, 0xda, 0xa8, 0xe9, 0x67, 0x60, 0xa0, 0x08, 0x50, 0x44, 0x36, 0x23, 0x12, 0x6f, 0x8b, 0xb8, + 0x31, 0x66, 0xb7, 0x8e, 0x3d, 0x5c, 0xe1, 0x0e, 0xdc, 0x43, 0x09, 0xe7, 0x50, 0x47, 0x3b, 0xc2, + 0x8d, 0x50, 0x2d, 0x42, 0x9e, 0x8b, 0xcf, 0xdc, 0xd7, 0x9b, 0x30, 0x0b, 0x15, 0xa6, 0xba, 0x98, + 0xbd, 0x5c, 0xe6, 0xc9, 0xa2, 0x4c, 0xb1, 0x61, 0xde, 0x8e, 0x16, 0xe1, 0x64, 0xa6, 0x5a, 0x62, + 0x2c, 0xce, 0x4a, 0x54, 0x62, 0x60, 0xa6, 0xce, 0x62, 0x8c, 0x7b, 0x9e, 0x30, 0x5d, 0x4c, 0xe3, + 0x07, 0xb8, 0x98, 0xba, 0x2a, 0x3a, 0x99, 0x9f, 0x62, 0xbc, 0xa7, 0x90, 0x01, 0x18, 0x28, 0x14, + 0xf9, 0x87, 0x32, 0xa1, 0xc8, 0x93, 0xac, 0x03, 0xb7, 0x8a, 0xe9, 0xc0, 0xe1, 0xe3, 0x8e, 0x1f, + 0x65, 0x1c, 0xf1, 0xff, 0xb2, 0x40, 0x7e, 0xd7, 0x05, 0xc7, 0xdd, 0x26, 0x74, 0xca, 0xe4, 0x64, + 0x9c, 0x58, 0x87, 0xca, 0x38, 0xb9, 0x00, 0x35, 0x3a, 0x4e, 0xfc, 0x51, 0xae, 0xf7, 0x95, 0x07, + 0x64, 0x7e, 0x6d, 0x49, 0x3c, 0xa5, 0x71, 0x50, 0x08, 0xd3, 0xbe, 0x13, 0x27, 0xac, 0x07, 0x8d, + 0x6e, 0xe0, 0x3e, 0x64, 0xd9, 0x1c, 0x96, 0x7d, 0xb6, 0x9c, 0x25, 0x84, 0x7b, 0x69, 0xdb, 0xff, + 0xae, 0x02, 0x93, 0x29, 0xc9, 0x78, 0x48, 0x83, 0xe1, 0x05, 0xa8, 0x4a, 0x1d, 0x9e, 0x2d, 0x1e, + 0xa6, 0x14, 0xbd, 0xc2, 0xa0, 0x4a, 0x6b, 0x43, 0x6b, 0xd5, 0xac, 0x81, 0x63, 0x28, 0x5c, 0x6c, + 0xe2, 0x31, 0xa1, 0x9c, 0xf8, 0xf1, 0x82, 0xef, 0x91, 0x20, 0xe1, 0xdd, 0x2c, 0x46, 0x28, 0xaf, + 0x2f, 0x37, 0x4c, 0xa2, 0x5a, 0x28, 0x67, 0x00, 0x38, 0xcb, 0x1e, 0x7d, 0xca, 0x82, 0x49, 0xe7, + 0x6e, 0xac, 0x8b, 0xe0, 0x8b, 0xa0, 0xe3, 0x21, 0x95, 0x54, 0xaa, 0xae, 0x3e, 0x77, 0xec, 0xa7, + 0x9a, 0x70, 0x9a, 0x29, 0xfa, 0xa2, 0x05, 0x88, 0xdc, 0x23, 0xae, 0x0c, 0x8b, 0x16, 0x7d, 0x19, + 0x2d, 0x62, 0x07, 0x7f, 0xa9, 0x87, 0x2e, 0x97, 0xea, 0xbd, 0xed, 0x38, 0xa7, 0x0f, 0xe8, 0x1a, + 0xa0, 0xa6, 0x17, 0x3b, 0x1b, 0x3e, 0x59, 0x08, 0x5b, 0x32, 0x63, 0x5a, 0x9c, 0xa7, 0x9f, 0x13, + 0xe3, 0x8c, 0x16, 0x7b, 0x30, 0x70, 0xce, 0x53, 0x6c, 0x96, 0x45, 0xe1, 0xbd, 0xee, 0xcd, 0xc8, + 0x67, 0x5a, 0xc2, 0x9c, 0x65, 0xa2, 0x1d, 0x2b, 0x0c, 0xfb, 0x4f, 0xcb, 0x6a, 0x29, 0xeb, 0x1c, + 0x00, 0xc7, 0x88, 0x45, 0xb6, 0x1e, 0x3e, 0x16, 0x59, 0x47, 0x4a, 0xf5, 0xd6, 0x01, 0x48, 0xa5, + 0x0d, 0x97, 0x1e, 0x51, 0xda, 0xf0, 0xf7, 0x5a, 0xa9, 0x02, 0x7d, 0xe3, 0x17, 0xdf, 0x5f, 0x6c, + 0xfe, 0xc1, 0x1c, 0x8f, 0xe2, 0xca, 0xe8, 0x95, 0x4c, 0xf0, 0xde, 0x0b, 0x50, 0xdd, 0xf4, 0x1d, + 0x56, 0x39, 0x86, 0x2d, 0x54, 0x23, 0xc2, 0xec, 0xb2, 0x68, 0xc7, 0x0a, 0x83, 0x4a, 0x7d, 0x83, + 0xe8, 0xa1, 0xa4, 0xf6, 0x7f, 0x2c, 0xc3, 0xb8, 0xa1, 0xf1, 0x73, 0xcd, 0x37, 0xeb, 0x31, 0x33, + 0xdf, 0x4a, 0x87, 0x30, 0xdf, 0xbe, 0x07, 0x6a, 0xae, 0xd4, 0x46, 0xc5, 0x5c, 0x65, 0x90, 0xd5, + 0x71, 0x5a, 0x21, 0xa9, 0x26, 0xac, 0x79, 0xa2, 0x2b, 0xa9, 0xd4, 0xd4, 0x94, 0x5f, 0x20, 0x2f, + 0x77, 0x54, 0x68, 0xb4, 0xde, 0x67, 0xb2, 0xf1, 0x01, 0x95, 0x83, 0xe3, 0x03, 0xec, 0xdf, 0xb7, + 0xd4, 0xc7, 0x3d, 0x86, 0x1a, 0x44, 0x77, 0xd2, 0x35, 0x88, 0x2e, 0x15, 0x32, 0xcc, 0x7d, 0x8a, + 0x0f, 0xfd, 0x80, 0x05, 0xcf, 0xee, 0x5f, 0xd4, 0x1b, 0x3d, 0x07, 0x95, 0xad, 0x28, 0xec, 0xb4, + 0x85, 0x0e, 0x56, 0x74, 0x58, 0x05, 0x75, 0xcc, 0x61, 0x74, 0x13, 0xb5, 0xe3, 0x05, 0xcd, 0xec, + 0x26, 0xea, 0xba, 0x17, 0x34, 0x31, 0x83, 0x0c, 0x50, 0xf5, 0xf5, 0x06, 0x8c, 0x2d, 0x84, 0xad, + 0x96, 0x13, 0x34, 0xd1, 0x37, 0xc1, 0x98, 0xcb, 0x7f, 0x0a, 0x7f, 0x1e, 0x3b, 0x38, 0x17, 0x50, + 0x2c, 0x61, 0xe8, 0x69, 0x18, 0x71, 0xa2, 0x2d, 0xe9, 0xc3, 0x63, 0x01, 0x79, 0xf3, 0xd1, 0x56, + 0x8c, 0x59, 0xab, 0xfd, 0xe7, 0x16, 0x4c, 0xd1, 0x47, 0x3c, 0x36, 0xc0, 0x6c, 0x68, 0x9f, 0x87, + 0x51, 0xa7, 0x93, 0x6c, 0x87, 0x3d, 0x7b, 0xc2, 0x79, 0xd6, 0x8a, 0x05, 0x94, 0x76, 0x56, 0x15, + 0xd2, 0x30, 0x3a, 0xbb, 0x48, 0xd7, 0x15, 0x83, 0x50, 0xb3, 0x3a, 0xee, 0x6c, 0xe4, 0x9d, 0xdc, + 0x36, 0x78, 0x33, 0x96, 0x70, 0x4a, 0x6c, 0x23, 0x6c, 0x76, 0x45, 0x98, 0xb1, 0x22, 0x56, 0x0f, + 0x9b, 0x5d, 0xcc, 0x20, 0xe8, 0x19, 0x28, 0xc7, 0xdb, 0x8e, 0x8c, 0x11, 0x90, 0x11, 0xef, 0x8d, + 0xab, 0xf3, 0x98, 0xb6, 0xab, 0x04, 0x8e, 0xc8, 0xcf, 0xc6, 0xfb, 0xa6, 0x13, 0x38, 0x22, 0xdf, + 0xfe, 0xe7, 0x23, 0xc0, 0x62, 0x7f, 0x9c, 0x88, 0x34, 0xd7, 0x43, 0x56, 0xa7, 0xf9, 0x48, 0x8f, + 0xd8, 0xf5, 0xa6, 0xfa, 0x71, 0x3e, 0x66, 0x37, 0x8e, 0x5a, 0xcb, 0xc7, 0x7d, 0xd4, 0x9a, 0x7f, + 0x7a, 0x3e, 0xf2, 0x18, 0x9d, 0x9e, 0xdb, 0x9f, 0xb3, 0x00, 0xa9, 0x48, 0x2e, 0x1d, 0xde, 0x72, + 0x01, 0x6a, 0x2a, 0x74, 0x4c, 0xac, 0x17, 0x2d, 0xa2, 0x25, 0x00, 0x6b, 0x9c, 0x01, 0x3c, 0x29, + 0xcf, 0x49, 0xfd, 0x59, 0x4e, 0xcb, 0x12, 0xa6, 0x75, 0x85, 0x3a, 0xb5, 0x7f, 0xb9, 0x04, 0x4f, + 0x70, 0xd3, 0x6d, 0xc5, 0x09, 0x9c, 0x2d, 0xd2, 0xa2, 0xbd, 0x1a, 0x34, 0x60, 0xc9, 0xa5, 0x5b, + 0x78, 0x4f, 0x66, 0x6b, 0x0c, 0x2b, 0x3b, 0xb9, 0x9c, 0xe1, 0x92, 0x65, 0x29, 0xf0, 0x12, 0xcc, + 0x88, 0xa3, 0x18, 0xaa, 0xf2, 0x2e, 0x2a, 0xa1, 0x0b, 0x0b, 0x62, 0xa4, 0xd4, 0x82, 0xb0, 0x72, + 0x08, 0x56, 0x8c, 0xa8, 0x29, 0xe3, 0x87, 0xee, 0x0e, 0x5d, 0xf2, 0x59, 0x53, 0x66, 0x59, 0xb4, + 0x63, 0x85, 0x61, 0xb7, 0xe0, 0x84, 0x1c, 0xc3, 0xf6, 0x75, 0xd2, 0xc5, 0x64, 0x93, 0xea, 0x7f, + 0x57, 0x36, 0x19, 0xd7, 0x63, 0x29, 0xfd, 0xbf, 0x60, 0x02, 0x71, 0x1a, 0x57, 0x96, 0x6e, 0x2e, + 0xe5, 0x97, 0x6e, 0xb6, 0x7f, 0xd9, 0x82, 0xac, 0x01, 0xc2, 0x1c, 0x70, 0xe6, 0x5d, 0x57, 0xfd, + 0x6a, 0xba, 0x1f, 0xa2, 0x9a, 0xeb, 0x07, 0x61, 0xdc, 0x49, 0xa8, 0x85, 0xc9, 0xbd, 0x41, 0xe5, + 0x87, 0x3b, 0xc5, 0x5c, 0x09, 0x9b, 0xde, 0xa6, 0xc7, 0xbc, 0x40, 0x26, 0x39, 0xfb, 0x6f, 0x57, + 0xa0, 0xb6, 0x18, 0x75, 0x0f, 0x9f, 0x36, 0xd7, 0x9b, 0x14, 0x57, 0x3a, 0x54, 0x52, 0x9c, 0x4c, + 0xbb, 0x2b, 0xf7, 0x4d, 0xbb, 0x93, 0x69, 0x73, 0x23, 0x8f, 0x2a, 0x6d, 0xae, 0xf2, 0x98, 0xa4, + 0xcd, 0x8d, 0x3e, 0x06, 0x69, 0x73, 0x63, 0xc7, 0x9c, 0x36, 0x67, 0xff, 0x8f, 0x11, 0x98, 0xee, + 0xc9, 0x02, 0x46, 0x2f, 0xc1, 0x84, 0x5a, 0xa3, 0xf2, 0x00, 0xa0, 0x66, 0x86, 0xd1, 0x6b, 0x18, + 0x4e, 0x61, 0x0e, 0x20, 0xa8, 0x97, 0xe0, 0x54, 0x44, 0x5e, 0xed, 0x90, 0x0e, 0x99, 0xdf, 0x4c, + 0x48, 0xd4, 0x20, 0x6e, 0x18, 0x34, 0x79, 0x9d, 0xef, 0x72, 0xfd, 0xc9, 0xfb, 0x7b, 0xb3, 0xa7, + 0x70, 0x2f, 0x18, 0xe7, 0x3d, 0x83, 0xda, 0x30, 0xe9, 0x9b, 0x3b, 0x57, 0x31, 0x87, 0x1f, 0x6a, + 0xd3, 0xab, 0x64, 0x55, 0xaa, 0x19, 0xa7, 0x19, 0xa4, 0xb7, 0xbf, 0x95, 0x47, 0xb4, 0xfd, 0xfd, + 0xa4, 0xde, 0xfe, 0xf2, 0xa8, 0xb4, 0x0f, 0x14, 0x9c, 0x05, 0x3e, 0xc8, 0xfe, 0x77, 0x98, 0x1d, + 0xed, 0x7b, 0xa0, 0x2a, 0x23, 0x76, 0x07, 0x8a, 0x74, 0x35, 0xe9, 0xf4, 0xd1, 0xec, 0x0f, 0x4a, + 0x90, 0xe3, 0xb4, 0xa1, 0x92, 0x56, 0x5b, 0xfb, 0x29, 0x49, 0x7b, 0x38, 0x8b, 0x1f, 0xdd, 0xe3, + 0xd1, 0xca, 0xdc, 0xc6, 0x7b, 0x5f, 0xd1, 0x4e, 0x27, 0x1d, 0xc0, 0xac, 0xf4, 0x9f, 0x0a, 0x62, + 0xbe, 0x08, 0xa0, 0x37, 0x8c, 0xc2, 0xd2, 0x57, 0xe1, 0x47, 0x7a, 0x5f, 0x89, 0x0d, 0x2c, 0xf4, + 0x22, 0x8c, 0x7b, 0x41, 0x9c, 0x38, 0xbe, 0x7f, 0xd5, 0x0b, 0x12, 0x61, 0xfd, 0x2b, 0x63, 0x76, + 0x49, 0x83, 0xb0, 0x89, 0x77, 0xee, 0x5d, 0xc6, 0x77, 0x39, 0xcc, 0xf7, 0xdc, 0x86, 0xb3, 0x57, + 0xbc, 0x44, 0x89, 0x36, 0x35, 0x8f, 0xd8, 0x26, 0x4f, 0x6a, 0x20, 0xab, 0xaf, 0x06, 0x32, 0xd2, + 0x50, 0x4b, 0xe9, 0xac, 0xd9, 0x6c, 0x1a, 0xaa, 0xed, 0xc2, 0xe9, 0x2b, 0x5e, 0x72, 0xd9, 0xf3, + 0xc9, 0x11, 0x32, 0xf9, 0xa5, 0x51, 0x98, 0x30, 0xab, 0x43, 0x1c, 0x46, 0x5f, 0x7f, 0x9e, 0xee, + 0x4e, 0xc4, 0x40, 0x78, 0x2a, 0xa4, 0xe2, 0xf6, 0xd0, 0xa5, 0x2a, 0xf2, 0x07, 0xd7, 0xd8, 0xa0, + 0x68, 0x9e, 0xd8, 0xec, 0x00, 0xba, 0x0b, 0x95, 0x4d, 0x96, 0x51, 0x59, 0x2e, 0x22, 0x18, 0x2e, + 0x6f, 0xf0, 0xf5, 0x8a, 0xe4, 0x39, 0x99, 0x9c, 0x1f, 0x35, 0x2a, 0xa3, 0x74, 0x22, 0xbf, 0x91, + 0xe7, 0x22, 0xac, 0x15, 0x85, 0xd1, 0x4f, 0x2b, 0x54, 0x1e, 0x42, 0x2b, 0xa4, 0x64, 0xf4, 0xe8, + 0x23, 0x92, 0xd1, 0x2c, 0x3b, 0x36, 0xd9, 0x66, 0x5b, 0x1e, 0x91, 0x98, 0x37, 0xc6, 0x06, 0xc1, + 0xc8, 0x8e, 0x4d, 0x81, 0x71, 0x16, 0x1f, 0x7d, 0x4c, 0x49, 0xf9, 0x6a, 0x11, 0x47, 0x56, 0xe6, + 0x8c, 0x3e, 0x6a, 0x01, 0xff, 0xb9, 0x12, 0x4c, 0x5d, 0x09, 0x3a, 0x6b, 0x57, 0xd6, 0x3a, 0x1b, + 0xbe, 0xe7, 0x5e, 0x27, 0x5d, 0x2a, 0xc5, 0x77, 0x48, 0x77, 0x69, 0x31, 0xeb, 0xeb, 0xb9, 0x4e, + 0x1b, 0x31, 0x87, 0x51, 0xb9, 0xb5, 0xe9, 0x05, 0x5b, 0x24, 0x6a, 0x47, 0x9e, 0x38, 0x4d, 0x32, + 0xe4, 0xd6, 0x65, 0x0d, 0xc2, 0x26, 0x1e, 0xa5, 0x1d, 0xde, 0x0d, 0x54, 0xa9, 0x2e, 0x45, 0x7b, + 0x95, 0x36, 0x62, 0x0e, 0xa3, 0x48, 0x49, 0xd4, 0x11, 0xce, 0x5a, 0x03, 0x69, 0x9d, 0x36, 0x62, + 0x0e, 0x13, 0xbe, 0x17, 0x16, 0x6b, 0x58, 0xe9, 0xf1, 0xbd, 0xb0, 0x30, 0x1d, 0x09, 0xa7, 0xa8, + 0x3b, 0xa4, 0xbb, 0xe8, 0x24, 0x4e, 0xd6, 0x75, 0x72, 0x9d, 0x37, 0x63, 0x09, 0x67, 0xf5, 0xc6, + 0xd3, 0xc3, 0xf1, 0x75, 0x57, 0x6f, 0x3c, 0xdd, 0xfd, 0x3e, 0x2e, 0xbf, 0x2f, 0x97, 0x60, 0xe2, + 0x8d, 0x3b, 0x89, 0xf7, 0xb9, 0x13, 0xeb, 0x36, 0x4c, 0xf7, 0xe4, 0xe6, 0x0f, 0x60, 0x01, 0x1d, + 0x58, 0x3b, 0xc5, 0xc6, 0x30, 0x4e, 0x09, 0xcb, 0x7a, 0x9b, 0x0b, 0x30, 0xcd, 0x17, 0x31, 0xe5, + 0xc4, 0x52, 0xad, 0x55, 0xbd, 0x05, 0x76, 0x6c, 0x7a, 0x2b, 0x0b, 0xc4, 0xbd, 0xf8, 0xf6, 0x0f, + 0x59, 0x30, 0x99, 0x2a, 0x97, 0x50, 0x90, 0xad, 0xc6, 0x56, 0x79, 0xc8, 0xe2, 0xe5, 0x59, 0xfe, + 0x52, 0x99, 0xa9, 0x63, 0xbd, 0xca, 0x35, 0x08, 0x9b, 0x78, 0xf6, 0x6f, 0x94, 0xa1, 0x2a, 0x63, + 0xfb, 0x06, 0xe8, 0xca, 0x67, 0x2d, 0x98, 0x54, 0x47, 0xd5, 0xec, 0x6c, 0xa1, 0x54, 0x44, 0xf6, + 0x26, 0xed, 0x81, 0xf2, 0x8e, 0x05, 0x9b, 0xa1, 0xde, 0x38, 0x60, 0x93, 0x19, 0x4e, 0xf3, 0x46, + 0xb7, 0x00, 0xe2, 0x6e, 0x9c, 0x90, 0x96, 0x71, 0xca, 0x61, 0x1b, 0xb3, 0x6c, 0xce, 0x0d, 0x23, + 0x42, 0xe7, 0xd4, 0x8d, 0xb0, 0x49, 0x1a, 0x0a, 0x53, 0x5b, 0x7a, 0xba, 0x0d, 0x1b, 0x94, 0xd0, + 0x6b, 0x2a, 0xb0, 0x62, 0xa4, 0x08, 0xfd, 0x2e, 0xc7, 0x77, 0x90, 0xc8, 0x8a, 0x21, 0x22, 0x19, + 0xec, 0x9f, 0x2e, 0xc1, 0xc9, 0xec, 0x48, 0xa2, 0x0f, 0xc0, 0x84, 0x1c, 0x34, 0xc3, 0x89, 0x24, + 0x03, 0x2a, 0x27, 0xb0, 0x01, 0x7b, 0xb0, 0x37, 0x3b, 0xdb, 0x7b, 0xc9, 0xfd, 0x9c, 0x89, 0x82, + 0x53, 0xc4, 0x78, 0x98, 0x83, 0x88, 0xc7, 0xa9, 0x77, 0xe7, 0xdb, 0x6d, 0x11, 0xab, 0x60, 0x84, + 0x39, 0x98, 0x50, 0x9c, 0xc1, 0x46, 0x6b, 0x70, 0xda, 0x68, 0xb9, 0x41, 0xbc, 0xad, 0xed, 0x8d, + 0x30, 0x92, 0xfb, 0xd6, 0xa7, 0x75, 0xf8, 0x76, 0x2f, 0x0e, 0xce, 0x7d, 0x92, 0x1a, 0x48, 0xae, + 0xd3, 0x76, 0x5c, 0x2f, 0xe9, 0x8a, 0xd3, 0x26, 0x25, 0xce, 0x17, 0x44, 0x3b, 0x56, 0x18, 0xf6, + 0x3f, 0x18, 0x81, 0x93, 0x3c, 0x5e, 0x99, 0xa8, 0x70, 0x7c, 0xf4, 0x01, 0xa8, 0xc5, 0x89, 0x13, + 0x71, 0x97, 0x95, 0x75, 0x68, 0xd1, 0xa5, 0x6b, 0x3c, 0x48, 0x22, 0x58, 0xd3, 0x43, 0xef, 0x67, + 0x05, 0xf2, 0xbc, 0x78, 0x9b, 0x51, 0x2f, 0x3d, 0x9c, 0x43, 0xec, 0xb2, 0xa2, 0x80, 0x0d, 0x6a, + 0xe8, 0xdb, 0xa1, 0xd2, 0xde, 0x76, 0x62, 0xe9, 0xad, 0x7d, 0x5e, 0xca, 0x89, 0x35, 0xda, 0xf8, + 0x60, 0x6f, 0xf6, 0x4c, 0xf6, 0x55, 0x19, 0x00, 0xf3, 0x87, 0x4c, 0x29, 0x3f, 0x72, 0x80, 0x94, + 0x7f, 0x1e, 0x46, 0x9b, 0x51, 0xb7, 0x71, 0x75, 0x3e, 0x7b, 0xcf, 0xd1, 0x22, 0x6b, 0xc5, 0x02, + 0x4a, 0x65, 0xd2, 0x36, 0x67, 0xd9, 0xa4, 0xc8, 0xa3, 0x69, 0xcb, 0xe3, 0xaa, 0x06, 0x61, 0x13, + 0x0f, 0x7d, 0xae, 0x37, 0x9a, 0x7d, 0xec, 0x08, 0xb2, 0x9d, 0x06, 0x8d, 0x63, 0xbf, 0x04, 0x35, + 0xd1, 0xd5, 0xf5, 0x10, 0xbd, 0x04, 0x13, 0xdc, 0x19, 0x58, 0x8f, 0x9c, 0xc0, 0xdd, 0xce, 0x3a, + 0x71, 0xd6, 0x0d, 0x18, 0x4e, 0x61, 0xda, 0x2b, 0x30, 0x32, 0xa0, 0x90, 0x1d, 0x68, 0x6f, 0xfe, + 0x1e, 0xa8, 0x52, 0x72, 0x72, 0xa3, 0x56, 0x04, 0xc9, 0x10, 0xaa, 0xf2, 0x82, 0x54, 0x64, 0x43, + 0xd9, 0x73, 0x64, 0xd4, 0x92, 0x5a, 0x42, 0x4b, 0x71, 0xdc, 0x61, 0xd3, 0x8e, 0x02, 0xd1, 0x73, + 0x50, 0x26, 0xf7, 0xda, 0xd9, 0xf0, 0xa4, 0x4b, 0xf7, 0xda, 0x5e, 0x44, 0x62, 0x8a, 0x44, 0xee, + 0xb5, 0xd1, 0x39, 0x28, 0x79, 0x4d, 0x31, 0x23, 0x41, 0xe0, 0x94, 0x96, 0x16, 0x71, 0xc9, 0x6b, + 0xda, 0xf7, 0xa0, 0xa6, 0x6e, 0x64, 0x45, 0x3b, 0xd2, 0xb4, 0xb2, 0x8a, 0x88, 0x57, 0x97, 0x74, + 0xfb, 0x18, 0x55, 0x1d, 0x00, 0x5d, 0x3c, 0xa4, 0x28, 0x15, 0x7c, 0x1e, 0x46, 0xdc, 0x50, 0x94, + 0x7d, 0xaa, 0x6a, 0x32, 0xcc, 0x96, 0x62, 0x10, 0xfb, 0x36, 0x4c, 0x5d, 0x0f, 0xc2, 0xbb, 0xec, + 0x6e, 0x34, 0x56, 0x0a, 0x9c, 0x12, 0xde, 0xa4, 0x3f, 0xb2, 0x16, 0x3c, 0x83, 0x62, 0x0e, 0x53, + 0x05, 0x7f, 0x4b, 0xfd, 0x0a, 0xfe, 0xda, 0x1f, 0xb7, 0x60, 0x42, 0x79, 0x63, 0xaf, 0xec, 0xee, + 0x0c, 0x76, 0x0a, 0x6c, 0x94, 0xe7, 0x28, 0x1d, 0x50, 0x9e, 0x43, 0x1e, 0x18, 0x97, 0xfb, 0x1d, + 0x18, 0xdb, 0x7f, 0x61, 0xc1, 0x49, 0xd5, 0x05, 0x69, 0x33, 0xbd, 0x04, 0x13, 0x1b, 0x1d, 0xcf, + 0x6f, 0xca, 0x1a, 0xe7, 0x99, 0xe5, 0x52, 0x37, 0x60, 0x38, 0x85, 0x89, 0x2e, 0x02, 0x6c, 0x78, + 0x81, 0x13, 0x75, 0xd7, 0xb4, 0x91, 0xa6, 0xf4, 0x76, 0x5d, 0x41, 0xb0, 0x81, 0x85, 0x3e, 0x0a, + 0xd5, 0x5d, 0x19, 0x27, 0x50, 0x2e, 0xb4, 0xaa, 0x84, 0x18, 0x0f, 0xbd, 0x12, 0x54, 0xe0, 0x81, + 0xe2, 0x68, 0x7f, 0xa1, 0x0c, 0x53, 0xe9, 0x4a, 0x10, 0x03, 0x78, 0x50, 0x9e, 0x83, 0x0a, 0x2b, + 0x0e, 0x91, 0x9d, 0x58, 0xbc, 0x28, 0x39, 0x87, 0xa1, 0x18, 0x46, 0xb9, 0x28, 0x29, 0xe6, 0xfa, + 0x5e, 0xd5, 0x49, 0xe5, 0xa7, 0x65, 0x4e, 0x6c, 0x71, 0xe8, 0x21, 0x58, 0xa1, 0x4f, 0x59, 0x30, + 0x16, 0xb6, 0xcd, 0x4a, 0xb3, 0xef, 0x2b, 0xb2, 0x4a, 0x86, 0x48, 0x45, 0x17, 0xd6, 0x90, 0x9a, + 0x78, 0x72, 0x32, 0x48, 0xd6, 0xe7, 0xbe, 0x0d, 0x26, 0x4c, 0xcc, 0x83, 0x0c, 0xa2, 0xaa, 0x69, + 0x10, 0x7d, 0xd6, 0x9c, 0x92, 0xa2, 0x0e, 0xc8, 0x00, 0x8b, 0xfd, 0x26, 0x54, 0x5c, 0x15, 0x78, + 0xf9, 0x50, 0xf7, 0x72, 0xa8, 0x3a, 0x79, 0x2c, 0xa8, 0x85, 0x53, 0xb3, 0x7f, 0xdf, 0x32, 0xe6, + 0x07, 0x26, 0xf1, 0x52, 0x13, 0x45, 0x50, 0xde, 0xda, 0xdd, 0x11, 0x46, 0xc6, 0xb5, 0x82, 0x86, + 0xf7, 0xca, 0xee, 0x8e, 0x5e, 0x61, 0x66, 0x2b, 0xa6, 0xcc, 0x06, 0x38, 0x4c, 0x48, 0x95, 0x8b, + 0x29, 0x1f, 0x5c, 0x2e, 0xc6, 0xfe, 0x62, 0x09, 0xa6, 0x7b, 0x26, 0x15, 0x7a, 0x0d, 0x2a, 0x11, + 0x7d, 0x4b, 0xf1, 0x7a, 0xcb, 0x85, 0x15, 0x78, 0x89, 0x97, 0x9a, 0x5a, 0x79, 0xa7, 0xdb, 0x31, + 0x67, 0x89, 0xae, 0x01, 0xd2, 0xe1, 0xc1, 0xea, 0x24, 0x83, 0xbf, 0xb2, 0x8a, 0x21, 0x9c, 0xef, + 0xc1, 0xc0, 0x39, 0x4f, 0xa1, 0x97, 0xb3, 0x07, 0x22, 0x99, 0xda, 0xe5, 0xfb, 0x9d, 0x6d, 0xd8, + 0xaf, 0x9b, 0x53, 0xf0, 0x96, 0x16, 0xa6, 0xc3, 0x6e, 0x4e, 0x7b, 0x24, 0x6b, 0x79, 0x50, 0xc9, + 0x6a, 0xff, 0x42, 0x09, 0x26, 0x53, 0xb5, 0x88, 0x91, 0x0f, 0x55, 0xe2, 0xb3, 0x73, 0x7b, 0xa9, + 0x7d, 0x87, 0xbd, 0x4a, 0x49, 0xc9, 0xc9, 0x4b, 0x82, 0x2e, 0x56, 0x1c, 0x1e, 0x8f, 0x68, 0xc7, + 0x97, 0x60, 0x42, 0x76, 0xe8, 0x7d, 0x4e, 0xcb, 0xcf, 0x0e, 0xdf, 0x25, 0x03, 0x86, 0x53, 0x98, + 0xf6, 0xaf, 0x94, 0x61, 0x86, 0x07, 0x3a, 0x34, 0xd5, 0x62, 0x50, 0x01, 0x4b, 0x3f, 0xa8, 0x2b, + 0x86, 0xf3, 0x81, 0xdc, 0x18, 0xf6, 0xe6, 0xc2, 0x7c, 0x46, 0x03, 0x05, 0xe9, 0x7f, 0x39, 0x13, + 0xa4, 0xcf, 0xb7, 0xea, 0x5b, 0x47, 0xd4, 0xa3, 0xaf, 0xaf, 0xa8, 0xfd, 0x7f, 0x52, 0x82, 0x13, + 0x99, 0x6b, 0x21, 0xd1, 0x17, 0xd2, 0x37, 0x09, 0x59, 0x45, 0x1c, 0x03, 0xee, 0x7b, 0x53, 0xe0, + 0xe1, 0xee, 0x13, 0x7a, 0x44, 0x4b, 0xc5, 0xfe, 0xdd, 0x12, 0x4c, 0xa5, 0xef, 0xb3, 0x7c, 0x0c, + 0x47, 0xea, 0xad, 0x50, 0x63, 0x57, 0xb6, 0x5d, 0x27, 0x5d, 0x79, 0xda, 0xc8, 0x6f, 0xc7, 0x92, + 0x8d, 0x58, 0xc3, 0x1f, 0x8b, 0x6b, 0x9a, 0xec, 0x7f, 0x6a, 0xc1, 0x19, 0xfe, 0x96, 0xd9, 0x79, + 0xf8, 0x37, 0xf3, 0x46, 0xf7, 0x95, 0x62, 0x3b, 0x98, 0xa9, 0x74, 0x7f, 0xd0, 0xf8, 0x52, 0xe3, + 0xe5, 0xb4, 0xe8, 0x6d, 0x7a, 0x2a, 0x3c, 0x86, 0x9d, 0x3d, 0xd4, 0x64, 0xb0, 0xff, 0x7d, 0x09, + 0xc6, 0x57, 0x17, 0x96, 0x94, 0x08, 0xbf, 0x00, 0x35, 0x37, 0x22, 0x8e, 0x76, 0xff, 0x98, 0x61, + 0x74, 0x12, 0x80, 0x35, 0x0e, 0xdd, 0x45, 0xf1, 0x30, 0xd4, 0x38, 0xbb, 0x8b, 0xe2, 0x51, 0xaa, + 0x31, 0x96, 0x70, 0xf4, 0x02, 0x54, 0x59, 0xb2, 0xfa, 0xcd, 0x48, 0x6a, 0x1c, 0xbd, 0xb5, 0x66, + 0xed, 0x78, 0x19, 0x2b, 0x0c, 0x4a, 0xb8, 0x19, 0xba, 0x31, 0x45, 0xce, 0x78, 0x64, 0x16, 0x69, + 0x33, 0x5e, 0xc6, 0x12, 0xce, 0x6a, 0x8d, 0x32, 0xaf, 0x05, 0x45, 0xae, 0xa4, 0x3b, 0xcd, 0xdd, + 0x1b, 0x14, 0x5d, 0xe3, 0x1c, 0xa6, 0x26, 0x6d, 0x26, 0x61, 0x74, 0x6c, 0xb0, 0x84, 0x51, 0xfb, + 0x77, 0xcb, 0x50, 0xd3, 0x4e, 0x35, 0x4f, 0x54, 0x68, 0x29, 0xe4, 0x26, 0x85, 0x46, 0x37, 0x70, + 0x15, 0x69, 0x1e, 0x55, 0x60, 0x14, 0x68, 0xf9, 0x7e, 0x0b, 0xc6, 0xbd, 0xc0, 0x4b, 0x3c, 0x87, + 0xf9, 0x06, 0x8b, 0xb9, 0x62, 0x5f, 0xb1, 0x5b, 0xe2, 0x94, 0xc3, 0xc8, 0x3c, 0xfa, 0x57, 0xcc, + 0xb0, 0xc9, 0x19, 0x7d, 0x44, 0xe4, 0x27, 0x96, 0x0b, 0x2b, 0x73, 0x54, 0xcd, 0x24, 0x25, 0xb6, + 0xa9, 0x8d, 0x9d, 0x44, 0x05, 0x55, 0x07, 0xc3, 0x94, 0x94, 0xba, 0xd1, 0x47, 0xed, 0x62, 0x58, + 0x33, 0xe6, 0x8c, 0xec, 0x18, 0x50, 0xef, 0x58, 0x1c, 0x32, 0xf7, 0xeb, 0x02, 0xd4, 0x9c, 0x4e, + 0x12, 0xb6, 0xe8, 0x30, 0x89, 0xc0, 0x01, 0x9d, 0xdd, 0x26, 0x01, 0x58, 0xe3, 0xd8, 0x3f, 0x5a, + 0x81, 0x4c, 0xbd, 0x14, 0x74, 0x0f, 0x6a, 0xaa, 0x62, 0x4a, 0x31, 0xb9, 0xd4, 0x7a, 0x46, 0xa9, + 0xce, 0xa8, 0x26, 0xac, 0x99, 0xa1, 0x50, 0xba, 0x59, 0xf9, 0x6a, 0x7f, 0x5f, 0xd6, 0xcd, 0x7a, + 0xf5, 0x70, 0xa7, 0x6f, 0x74, 0xce, 0x5e, 0xe0, 0x95, 0x32, 0xe7, 0x0e, 0xf4, 0xcc, 0x96, 0x0f, + 0xf0, 0xcc, 0x7e, 0x42, 0xdc, 0xfd, 0x87, 0x49, 0xdc, 0xf1, 0x13, 0x31, 0x2b, 0xde, 0x53, 0xe0, + 0x6a, 0xe3, 0x84, 0x75, 0xfd, 0x31, 0xfe, 0x1f, 0x1b, 0x4c, 0xd3, 0xfe, 0xf3, 0xd1, 0x23, 0xf5, + 0x9f, 0x8f, 0x15, 0xea, 0x3f, 0xbf, 0x08, 0xc0, 0xe6, 0x38, 0xcf, 0x55, 0xa9, 0x32, 0xb7, 0xa6, + 0x52, 0x35, 0x58, 0x41, 0xb0, 0x81, 0x65, 0x7f, 0x0b, 0xa4, 0x0b, 0xe8, 0xa1, 0x59, 0x59, 0xaf, + 0x8f, 0x9f, 0x0c, 0xb2, 0x34, 0xe1, 0x54, 0x69, 0xbd, 0x9f, 0xb3, 0xc0, 0xac, 0xf2, 0x87, 0x5e, + 0xe5, 0xe5, 0x04, 0xad, 0x22, 0x4e, 0x9a, 0x0c, 0xba, 0x73, 0x2b, 0x4e, 0x3b, 0x13, 0xfd, 0x24, + 0x6b, 0x0a, 0x9e, 0x7b, 0x17, 0x54, 0x25, 0xf4, 0x50, 0x46, 0xf3, 0xc7, 0xe0, 0x94, 0x2c, 0x39, + 0x22, 0x0f, 0x85, 0x44, 0x14, 0xc2, 0xf1, 0x64, 0x9c, 0xfc, 0xbc, 0x05, 0xe7, 0xb3, 0x1d, 0x88, + 0x57, 0xc2, 0xc0, 0x4b, 0xc2, 0xa8, 0x41, 0x92, 0xc4, 0x0b, 0xb6, 0x58, 0xd5, 0xe7, 0xbb, 0x4e, + 0x24, 0x6f, 0xfe, 0x62, 0x02, 0xf3, 0xb6, 0x13, 0x05, 0x98, 0xb5, 0xa2, 0x2e, 0x8c, 0xf2, 0x80, + 0x7a, 0xb1, 0x1b, 0x1a, 0x72, 0x6d, 0xe4, 0x0c, 0x87, 0xde, 0x8e, 0xf1, 0x60, 0x7e, 0x2c, 0x18, + 0xda, 0x5f, 0xb5, 0x00, 0xad, 0xee, 0x92, 0x28, 0xf2, 0x9a, 0x46, 0x0a, 0x00, 0xbb, 0x43, 0xd7, + 0xb8, 0x2b, 0xd7, 0x2c, 0x88, 0x93, 0xb9, 0x43, 0xd7, 0xf8, 0x97, 0x7f, 0x87, 0x6e, 0xe9, 0x70, + 0x77, 0xe8, 0xa2, 0x55, 0x38, 0xd3, 0xe2, 0xdb, 0x39, 0x7e, 0x2f, 0x25, 0xdf, 0xdb, 0xa9, 0xda, + 0x0d, 0x67, 0xef, 0xef, 0xcd, 0x9e, 0x59, 0xc9, 0x43, 0xc0, 0xf9, 0xcf, 0xd9, 0xef, 0x02, 0xc4, + 0x43, 0x61, 0x17, 0xf2, 0xc2, 0x57, 0xfb, 0xba, 0x3b, 0xec, 0x2f, 0x55, 0xe0, 0x44, 0xe6, 0x5e, + 0x18, 0xba, 0x95, 0xee, 0x8d, 0x97, 0x1d, 0x5a, 0x8f, 0xf7, 0x76, 0x6f, 0xa0, 0x08, 0xdc, 0x00, + 0x2a, 0x5e, 0xd0, 0xee, 0x24, 0xc5, 0x94, 0x8e, 0xe1, 0x9d, 0x58, 0xa2, 0x04, 0x8d, 0xf3, 0x09, + 0xfa, 0x17, 0x73, 0x36, 0x45, 0xc6, 0xf3, 0xa6, 0x36, 0x3b, 0x23, 0x8f, 0xc8, 0xdd, 0xf2, 0x09, + 0x1d, 0x5d, 0x5b, 0x29, 0xc2, 0x97, 0x9c, 0x99, 0x2c, 0x47, 0x1d, 0x7a, 0xf5, 0x33, 0x25, 0x18, + 0x37, 0x3e, 0x1a, 0xfa, 0xf1, 0x74, 0x0d, 0x5c, 0xab, 0xb8, 0x57, 0x62, 0xf4, 0xe7, 0x74, 0x95, + 0x5b, 0xfe, 0x4a, 0xcf, 0xf7, 0x96, 0xbf, 0x7d, 0xb0, 0x37, 0x7b, 0x32, 0x53, 0xe0, 0x36, 0x55, + 0x12, 0xf7, 0xdc, 0x77, 0xc3, 0x89, 0x0c, 0x99, 0x9c, 0x57, 0x5e, 0x37, 0x5f, 0x79, 0x68, 0xb7, + 0x9f, 0x39, 0x64, 0x3f, 0x45, 0x87, 0x4c, 0x54, 0xac, 0x08, 0x7d, 0x32, 0x80, 0xcf, 0x33, 0xb3, + 0xcf, 0x28, 0x0d, 0x58, 0x98, 0xe6, 0x2d, 0x50, 0x6d, 0x87, 0xbe, 0xe7, 0x7a, 0xaa, 0x84, 0x3e, + 0x2b, 0x85, 0xb3, 0x26, 0xda, 0xb0, 0x82, 0xa2, 0xbb, 0x50, 0xbb, 0x73, 0x37, 0xe1, 0xc7, 0x8d, + 0xe2, 0x48, 0xa3, 0xa8, 0x53, 0x46, 0x65, 0xb4, 0xa8, 0xf3, 0x4c, 0xac, 0x79, 0x21, 0x1b, 0x46, + 0x99, 0x12, 0x94, 0xd9, 0xab, 0xec, 0xb8, 0x85, 0x69, 0xc7, 0x18, 0x0b, 0x88, 0xfd, 0x6f, 0xc7, + 0xe1, 0x74, 0xde, 0xe5, 0x5c, 0xe8, 0xa3, 0x30, 0xca, 0xfb, 0x58, 0xcc, 0xfd, 0x8f, 0x79, 0x3c, + 0xae, 0x30, 0x82, 0xa2, 0x5b, 0xec, 0x37, 0x16, 0x3c, 0x05, 0x77, 0xdf, 0xd9, 0x10, 0x33, 0xe4, + 0x68, 0xb8, 0x2f, 0x3b, 0x9a, 0xfb, 0xb2, 0xc3, 0xb9, 0xfb, 0xce, 0x06, 0xba, 0x07, 0x95, 0x2d, + 0x2f, 0x21, 0x8e, 0x70, 0xd2, 0xdc, 0x3e, 0x12, 0xe6, 0xc4, 0xe1, 0x56, 0x1a, 0xfb, 0x89, 0x39, + 0x43, 0xf4, 0x15, 0x0b, 0x4e, 0x6c, 0xa4, 0x2b, 0x62, 0x09, 0xe1, 0xe9, 0x1c, 0xc1, 0x05, 0x6c, + 0x69, 0x46, 0xfc, 0x12, 0xe9, 0x4c, 0x23, 0xce, 0x76, 0x07, 0x7d, 0xd2, 0x82, 0xb1, 0x4d, 0xcf, + 0x37, 0x6e, 0xb8, 0x39, 0x82, 0x8f, 0x73, 0x99, 0x31, 0xd0, 0x3b, 0x0e, 0xfe, 0x3f, 0xc6, 0x92, + 0x73, 0x3f, 0x4d, 0x35, 0x3a, 0xac, 0xa6, 0x1a, 0x7b, 0x44, 0x9a, 0xea, 0x33, 0x16, 0xd4, 0xd4, + 0x48, 0x8b, 0xca, 0x42, 0x1f, 0x38, 0xc2, 0x4f, 0xce, 0x3d, 0x53, 0xea, 0x2f, 0xd6, 0xcc, 0xd1, + 0xeb, 0x16, 0x8c, 0x3b, 0xaf, 0x75, 0x22, 0xd2, 0x24, 0xbb, 0x61, 0x3b, 0x16, 0x25, 0x7f, 0x5f, + 0x29, 0xbe, 0x33, 0xf3, 0x94, 0xc9, 0x22, 0xd9, 0x5d, 0x6d, 0xc7, 0x22, 0xb3, 0x5e, 0x37, 0x60, + 0xb3, 0x0b, 0xe8, 0xfb, 0xb4, 0x1e, 0x87, 0x22, 0x0a, 0xbf, 0xe7, 0xf5, 0x66, 0xa0, 0x42, 0x11, + 0x04, 0x9e, 0x72, 0xc3, 0x20, 0xf1, 0x82, 0x0e, 0x59, 0x0d, 0x30, 0x69, 0x87, 0x37, 0xc2, 0xe4, + 0x72, 0xd8, 0x09, 0x9a, 0x97, 0xa2, 0x28, 0x8c, 0x58, 0xe9, 0x24, 0xe3, 0xda, 0xdf, 0x85, 0xfe, + 0xa8, 0x78, 0x3f, 0x3a, 0xc3, 0xd8, 0x0c, 0x7b, 0x25, 0x98, 0x3d, 0x60, 0xb0, 0xd1, 0x4b, 0x30, + 0x11, 0x46, 0x5b, 0x4e, 0xe0, 0xbd, 0x66, 0x56, 0x03, 0x54, 0x06, 0xe9, 0xaa, 0x01, 0xc3, 0x29, + 0x4c, 0xb3, 0x4c, 0x54, 0xe9, 0x80, 0x32, 0x51, 0xe7, 0x61, 0x24, 0x22, 0xed, 0x30, 0xbb, 0xaf, + 0x62, 0x09, 0xa8, 0x0c, 0x82, 0x9e, 0x81, 0xb2, 0xd3, 0xf6, 0x84, 0x93, 0x51, 0x6d, 0x17, 0xe7, + 0xd7, 0x96, 0x30, 0x6d, 0x4f, 0x55, 0xad, 0xab, 0x1c, 0x4b, 0xd5, 0x3a, 0xaa, 0x31, 0xc5, 0x31, + 0xda, 0xa8, 0xd6, 0x98, 0xe9, 0xe3, 0x2d, 0xfb, 0x8b, 0x65, 0x78, 0x66, 0xdf, 0xa5, 0xa5, 0x43, + 0xd8, 0xad, 0x7d, 0x42, 0xd8, 0xe5, 0xf0, 0x94, 0x0e, 0x1a, 0x9e, 0x72, 0x9f, 0xe1, 0xf9, 0x24, + 0x95, 0x18, 0xb2, 0x8a, 0xa2, 0x50, 0x12, 0x43, 0xa6, 0x15, 0xf4, 0x2b, 0xca, 0x28, 0x84, 0x85, + 0x84, 0x62, 0xcd, 0x97, 0x6e, 0x97, 0x52, 0x25, 0x92, 0x2a, 0x45, 0x68, 0xcc, 0xbe, 0x95, 0x0c, + 0xb9, 0x98, 0xe8, 0x57, 0x77, 0xc9, 0xfe, 0xc5, 0x11, 0x78, 0x6e, 0x00, 0x45, 0x67, 0xce, 0x62, + 0x6b, 0xc0, 0x59, 0xfc, 0x75, 0xfe, 0x99, 0x3e, 0x9d, 0xfb, 0x99, 0x70, 0xf1, 0x9f, 0x69, 0xff, + 0x2f, 0xc4, 0x4e, 0x22, 0x82, 0x98, 0xb8, 0x9d, 0x88, 0xa7, 0xf3, 0x18, 0xd9, 0xe9, 0x4b, 0xa2, + 0x1d, 0x2b, 0x0c, 0xba, 0xfd, 0x75, 0x1d, 0xba, 0xfc, 0xc7, 0x0a, 0x2a, 0x89, 0x63, 0x26, 0xba, + 0x73, 0xeb, 0x6b, 0x61, 0x9e, 0x4a, 0x00, 0xce, 0xc6, 0xfe, 0x55, 0x0b, 0xce, 0xf5, 0xb7, 0x46, + 0xd0, 0xdb, 0x61, 0x7c, 0x83, 0x05, 0x55, 0xae, 0xb0, 0xd0, 0x29, 0x31, 0x75, 0xd8, 0xfb, 0xea, + 0x66, 0x6c, 0xe2, 0xa0, 0x05, 0x98, 0x36, 0xa3, 0x31, 0x57, 0x8c, 0x98, 0x2b, 0xe6, 0x2f, 0x59, + 0xcf, 0x02, 0x71, 0x2f, 0x3e, 0x9a, 0x03, 0x48, 0xbc, 0xc4, 0x27, 0xfc, 0x69, 0x3e, 0xd1, 0x98, + 0x43, 0x71, 0x5d, 0xb5, 0x62, 0x03, 0xc3, 0xfe, 0x5a, 0x39, 0xff, 0x35, 0xb8, 0x95, 0x7b, 0x98, + 0xd9, 0x2f, 0xe6, 0x76, 0x69, 0x00, 0x09, 0x5d, 0x3e, 0x6e, 0x09, 0x3d, 0xd2, 0x4f, 0x42, 0xa3, + 0x45, 0x38, 0x69, 0x5c, 0x24, 0xcc, 0x8b, 0x2a, 0xf1, 0xc3, 0x29, 0x55, 0x11, 0x71, 0x2d, 0x03, + 0xc7, 0x3d, 0x4f, 0x3c, 0xe6, 0x53, 0xf5, 0xd7, 0x4a, 0x70, 0xb6, 0xef, 0xc6, 0xe2, 0x98, 0x34, + 0x90, 0xf9, 0xf9, 0x47, 0x8e, 0xe7, 0xf3, 0x9b, 0x1f, 0xa5, 0x72, 0xe0, 0x47, 0x19, 0x44, 0x9d, + 0xff, 0x5e, 0xa9, 0xef, 0x62, 0xa1, 0x1b, 0xd1, 0xbf, 0xb4, 0x23, 0xf9, 0x32, 0x4c, 0x3a, 0xed, + 0x36, 0xc7, 0x63, 0x19, 0x1a, 0x99, 0x2a, 0xad, 0xf3, 0x26, 0x10, 0xa7, 0x71, 0x07, 0x1a, 0xd8, + 0x3f, 0xb2, 0xa0, 0x86, 0xc9, 0x26, 0x97, 0x70, 0xe8, 0x8e, 0x18, 0x22, 0xab, 0x88, 0xab, 0x32, + 0xe8, 0xc0, 0xc6, 0x1e, 0x2b, 0xc4, 0x90, 0x37, 0xd8, 0xc3, 0xd6, 0xd9, 0x50, 0xd7, 0x0f, 0x97, + 0xfb, 0x5f, 0x3f, 0x6c, 0xff, 0x52, 0x8d, 0xbe, 0x5e, 0x3b, 0x5c, 0x88, 0x48, 0x33, 0xa6, 0xdf, + 0xb7, 0x13, 0xf9, 0x62, 0x92, 0xa8, 0xef, 0x7b, 0x13, 0x2f, 0x63, 0xda, 0x9e, 0x3a, 0xa7, 0x2c, + 0x1d, 0xaa, 0x46, 0x65, 0xf9, 0xc0, 0x1a, 0x95, 0x2f, 0xc3, 0x64, 0x1c, 0x6f, 0xaf, 0x45, 0xde, + 0xae, 0x93, 0x90, 0xeb, 0x44, 0x16, 0x90, 0xd2, 0xf5, 0xda, 0x1a, 0x57, 0x35, 0x10, 0xa7, 0x71, + 0xd1, 0x15, 0x98, 0xd6, 0x95, 0x22, 0x49, 0x94, 0xb0, 0x14, 0x48, 0x3e, 0x13, 0x54, 0x71, 0x20, + 0x5d, 0x5b, 0x52, 0x20, 0xe0, 0xde, 0x67, 0xa8, 0xcc, 0x4d, 0x35, 0xd2, 0x8e, 0x8c, 0xa6, 0x65, + 0x6e, 0x8a, 0x0e, 0xed, 0x4b, 0xcf, 0x13, 0x68, 0x05, 0x4e, 0xf1, 0x89, 0x31, 0xdf, 0x6e, 0x1b, + 0x6f, 0x34, 0x96, 0xbe, 0x9f, 0xe0, 0x4a, 0x2f, 0x0a, 0xce, 0x7b, 0x0e, 0xbd, 0x08, 0xe3, 0xaa, + 0x79, 0x69, 0x51, 0x1c, 0xad, 0x29, 0xd7, 0x9e, 0x22, 0xb3, 0xd4, 0xc4, 0x26, 0x1e, 0x7a, 0x1f, + 0x3c, 0xa9, 0xff, 0xf2, 0x94, 0x7a, 0x7e, 0xee, 0xbc, 0x28, 0x8a, 0xf0, 0xaa, 0xeb, 0xef, 0xae, + 0xe4, 0xa2, 0x35, 0x71, 0xbf, 0xe7, 0xd1, 0x06, 0x9c, 0x53, 0xa0, 0x4b, 0x41, 0xc2, 0x92, 0x5e, + 0x63, 0x52, 0x77, 0x62, 0x16, 0x41, 0x01, 0xec, 0x3d, 0x6d, 0x41, 0xfd, 0xdc, 0x15, 0x2f, 0xb9, + 0x9a, 0x87, 0x89, 0x97, 0xf1, 0x3e, 0x54, 0xd0, 0x05, 0xa8, 0x91, 0xc0, 0xd9, 0xf0, 0xc9, 0xea, + 0xc2, 0x92, 0xd8, 0x91, 0xea, 0x2c, 0x09, 0x09, 0xc0, 0x1a, 0x47, 0xc5, 0xf9, 0x4f, 0xf4, 0x8b, + 0xf3, 0x47, 0x6b, 0x70, 0x7a, 0xcb, 0x6d, 0x53, 0x2b, 0xd3, 0x73, 0xc9, 0xbc, 0xcb, 0x02, 0x8b, + 0xe9, 0x87, 0xe1, 0x17, 0x47, 0xa8, 0x84, 0xa9, 0x2b, 0x0b, 0x6b, 0x3d, 0x38, 0x38, 0xf7, 0x49, + 0x16, 0x80, 0x1e, 0x85, 0xf7, 0xba, 0x33, 0xa7, 0x32, 0x01, 0xe8, 0xb4, 0x11, 0x73, 0x18, 0xba, + 0x06, 0x88, 0x25, 0x0d, 0x5e, 0x4d, 0x92, 0xb6, 0x32, 0x6b, 0x67, 0x4e, 0xa7, 0x4b, 0x72, 0x5e, + 0xee, 0xc1, 0xc0, 0x39, 0x4f, 0x51, 0xab, 0x27, 0x08, 0x19, 0xf5, 0x99, 0x27, 0xd3, 0x56, 0xcf, + 0x0d, 0xde, 0x8c, 0x25, 0x1c, 0x7d, 0x10, 0x66, 0x3a, 0x31, 0x61, 0x1b, 0xe6, 0xdb, 0x61, 0xb4, + 0xe3, 0x87, 0x4e, 0x73, 0x89, 0xdd, 0x73, 0x9c, 0x74, 0x67, 0x66, 0x18, 0xf3, 0xf3, 0xe2, 0xd9, + 0x99, 0x9b, 0x7d, 0xf0, 0x70, 0x5f, 0x0a, 0xd9, 0x9a, 0xb2, 0x67, 0x07, 0xac, 0x29, 0xbb, 0x06, + 0xa7, 0xa5, 0x5e, 0x5b, 0x5d, 0x58, 0x52, 0x2f, 0x3d, 0x73, 0x2e, 0x7d, 0x71, 0xe2, 0x52, 0x0e, + 0x0e, 0xce, 0x7d, 0xd2, 0xfe, 0x43, 0x0b, 0x26, 0x95, 0x04, 0x3b, 0x86, 0x24, 0x66, 0x3f, 0x9d, + 0xc4, 0x7c, 0x65, 0x78, 0x1d, 0xc0, 0x7a, 0xde, 0x27, 0xd5, 0xe6, 0x17, 0x26, 0x01, 0xb4, 0x9e, + 0x50, 0x2a, 0xda, 0xea, 0xab, 0xa2, 0x1f, 0x5b, 0x19, 0x9d, 0x57, 0x23, 0xb4, 0xf2, 0x68, 0x6b, + 0x84, 0x36, 0xe0, 0x8c, 0x9c, 0x52, 0xfc, 0x48, 0xf9, 0x6a, 0x18, 0x2b, 0x91, 0x6f, 0xdc, 0x84, + 0xb9, 0x94, 0x87, 0x84, 0xf3, 0x9f, 0x4d, 0xd9, 0x76, 0x63, 0x07, 0xda, 0x76, 0x4a, 0xca, 0x2d, + 0x6f, 0xca, 0x7b, 0x6a, 0x33, 0x52, 0x6e, 0xf9, 0x72, 0x03, 0x6b, 0x9c, 0x7c, 0x55, 0x57, 0x2b, + 0x48, 0xd5, 0xc1, 0xa1, 0x55, 0x9d, 0x14, 0xba, 0xe3, 0x7d, 0x85, 0xae, 0x3c, 0xba, 0x9a, 0xe8, + 0x7b, 0x74, 0xf5, 0x6e, 0x98, 0xf2, 0x82, 0x6d, 0x12, 0x79, 0x09, 0x69, 0xb2, 0xb5, 0xc0, 0x04, + 0x72, 0x55, 0x1b, 0x3a, 0x4b, 0x29, 0x28, 0xce, 0x60, 0xa7, 0x35, 0xc5, 0xd4, 0x00, 0x9a, 0xa2, + 0x8f, 0x7e, 0x3e, 0x51, 0x8c, 0x7e, 0x3e, 0x39, 0xbc, 0x7e, 0x9e, 0x3e, 0x52, 0xfd, 0x8c, 0x0a, + 0xd1, 0xcf, 0x03, 0xa9, 0x3e, 0x63, 0x93, 0x7e, 0xfa, 0x80, 0x4d, 0x7a, 0x3f, 0xe5, 0x7c, 0xe6, + 0xa1, 0x95, 0x73, 0xbe, 0xde, 0x7d, 0xe2, 0x0d, 0xbd, 0x5b, 0x84, 0xde, 0xa5, 0xdf, 0xbf, 0x49, + 0xda, 0xc9, 0xf6, 0xcc, 0x53, 0x6c, 0xb2, 0xaa, 0xef, 0xbf, 0x48, 0x1b, 0x31, 0x87, 0xd9, 0x9f, + 0x29, 0xc1, 0x19, 0xad, 0xbe, 0xa8, 0xd0, 0xf0, 0x36, 0xa9, 0x00, 0x67, 0x37, 0xc4, 0xf3, 0x53, + 0x71, 0x23, 0xaf, 0x5e, 0x57, 0x16, 0x50, 0x10, 0x6c, 0x60, 0xb1, 0xf4, 0x74, 0x12, 0xb1, 0xbb, + 0x89, 0xb2, 0xba, 0x6d, 0x41, 0xb4, 0x63, 0x85, 0x41, 0x47, 0x8a, 0xfe, 0x16, 0x55, 0x52, 0xb2, + 0x55, 0xef, 0x17, 0x34, 0x08, 0x9b, 0x78, 0xe8, 0x2d, 0x9c, 0x09, 0x93, 0xab, 0x54, 0xbf, 0x4d, + 0xf0, 0xbd, 0xa7, 0x12, 0xa5, 0x0a, 0x2a, 0xbb, 0xc3, 0xca, 0x27, 0x54, 0x7a, 0xbb, 0xc3, 0x02, + 0x4d, 0x15, 0x86, 0xfd, 0x3f, 0x2d, 0x38, 0x9b, 0x3b, 0x14, 0xc7, 0x60, 0xb3, 0xdc, 0x4b, 0xdb, + 0x2c, 0x8d, 0xa2, 0xf6, 0xad, 0xc6, 0x5b, 0xf4, 0xb1, 0x5f, 0xfe, 0x83, 0x05, 0x53, 0x1a, 0xff, + 0x18, 0x5e, 0xd5, 0x4b, 0xbf, 0x6a, 0x71, 0x5b, 0xf4, 0x5a, 0xcf, 0xbb, 0xfd, 0x4a, 0x09, 0xd4, + 0x4d, 0x14, 0xf3, 0x6e, 0x32, 0x58, 0x6e, 0x5a, 0x17, 0x46, 0x59, 0x98, 0x49, 0x5c, 0x4c, 0x08, + 0x5d, 0x9a, 0x3f, 0x0b, 0x59, 0xd1, 0xa7, 0x7e, 0xec, 0x6f, 0x8c, 0x05, 0x43, 0x76, 0x73, 0x16, + 0x2f, 0xf2, 0xdf, 0x14, 0x59, 0xd6, 0xfa, 0xe6, 0x2c, 0xd1, 0x8e, 0x15, 0x06, 0xd5, 0xaa, 0x9e, + 0x1b, 0x06, 0x0b, 0xbe, 0x13, 0xc7, 0xc2, 0xd0, 0x53, 0x5a, 0x75, 0x49, 0x02, 0xb0, 0xc6, 0x61, + 0x11, 0x28, 0x5e, 0xdc, 0xf6, 0x9d, 0xae, 0xe1, 0x88, 0x31, 0xaa, 0x81, 0x29, 0x10, 0x36, 0xf1, + 0xec, 0x16, 0xcc, 0xa4, 0x5f, 0x62, 0x91, 0x6c, 0xb2, 0x30, 0xf0, 0x81, 0x86, 0xf3, 0x02, 0xd4, + 0x1c, 0xf6, 0xd4, 0x72, 0xc7, 0x11, 0x32, 0x41, 0x07, 0x43, 0x4b, 0x00, 0xd6, 0x38, 0xf6, 0xb7, + 0xc2, 0xa9, 0x9c, 0x31, 0x1b, 0x20, 0xca, 0xee, 0x17, 0x4a, 0x70, 0x22, 0xfd, 0x64, 0xcc, 0x12, + 0x25, 0x79, 0x9f, 0xbd, 0xd8, 0x0d, 0x77, 0x49, 0xd4, 0xa5, 0xdd, 0xb0, 0x32, 0x89, 0x92, 0x3d, + 0x18, 0x38, 0xe7, 0x29, 0x76, 0x29, 0x4c, 0x53, 0xbd, 0xba, 0x9c, 0x1e, 0xb7, 0x8a, 0x9c, 0x1e, + 0x7a, 0x64, 0xcd, 0xc8, 0x20, 0xc5, 0x12, 0x9b, 0xfc, 0xa9, 0x91, 0xc4, 0xd2, 0x3c, 0xea, 0x1d, + 0xcf, 0x4f, 0xbc, 0x40, 0xbc, 0xb2, 0x98, 0x38, 0xca, 0x48, 0x5a, 0xe9, 0x45, 0xc1, 0x79, 0xcf, + 0xd9, 0x5f, 0x1d, 0x01, 0x55, 0x2e, 0x85, 0x45, 0x6e, 0x16, 0x14, 0xf7, 0x7a, 0xd8, 0x74, 0x5b, + 0xf5, 0xa5, 0x47, 0xf6, 0x0b, 0xa5, 0xe2, 0xae, 0x34, 0xd3, 0xe7, 0xae, 0x06, 0x6c, 0x5d, 0x83, + 0xb0, 0x89, 0x47, 0x7b, 0xe2, 0x7b, 0xbb, 0x84, 0x3f, 0x34, 0x9a, 0xee, 0xc9, 0xb2, 0x04, 0x60, + 0x8d, 0xc3, 0xea, 0xae, 0x7b, 0x9b, 0x9b, 0xc2, 0x2f, 0xa4, 0xeb, 0xae, 0x7b, 0x9b, 0x9b, 0x98, + 0x41, 0xf8, 0xb5, 0x61, 0xe1, 0x8e, 0xd8, 0x18, 0x18, 0xd7, 0x86, 0x85, 0x3b, 0x98, 0x41, 0xe8, + 0x57, 0x0a, 0xc2, 0xa8, 0xe5, 0xf8, 0xde, 0x6b, 0xa4, 0xa9, 0xb8, 0x88, 0x0d, 0x81, 0xfa, 0x4a, + 0x37, 0x7a, 0x51, 0x70, 0xde, 0x73, 0x74, 0x42, 0xb7, 0x23, 0xd2, 0xf4, 0xdc, 0xc4, 0xa4, 0x06, + 0xe9, 0x09, 0xbd, 0xd6, 0x83, 0x81, 0x73, 0x9e, 0x42, 0xf3, 0x70, 0x42, 0x96, 0xbb, 0x91, 0xa5, + 0x22, 0xc7, 0xd3, 0xf5, 0xe6, 0x70, 0x1a, 0x8c, 0xb3, 0xf8, 0x54, 0x62, 0xb5, 0x44, 0xf9, 0x62, + 0xb6, 0x7f, 0x30, 0x24, 0x96, 0x2c, 0x6b, 0x8c, 0x15, 0x86, 0xfd, 0x89, 0x32, 0xd5, 0xb0, 0x7d, + 0xaa, 0x84, 0x1f, 0x5b, 0x9c, 0x75, 0x7a, 0x46, 0x8e, 0x0c, 0x30, 0x23, 0xdf, 0x09, 0x13, 0x77, + 0xe2, 0x30, 0x50, 0x31, 0xcc, 0x95, 0xbe, 0x31, 0xcc, 0x06, 0x56, 0x7e, 0x0c, 0xf3, 0x68, 0x51, + 0x31, 0xcc, 0x63, 0x0f, 0x19, 0xc3, 0xfc, 0xaf, 0x2b, 0xa0, 0xee, 0x85, 0xbd, 0x41, 0x92, 0xbb, + 0x61, 0xb4, 0xe3, 0x05, 0x5b, 0xac, 0x74, 0xcb, 0x57, 0x2c, 0x59, 0xfd, 0x65, 0xd9, 0xcc, 0xf1, + 0xdd, 0x2c, 0xe8, 0x6e, 0xcf, 0x14, 0xb3, 0xb9, 0x75, 0x83, 0x11, 0x8f, 0x85, 0xc9, 0x54, 0x99, + 0x11, 0x6e, 0xfe, 0x54, 0x8f, 0xd0, 0x77, 0x03, 0x48, 0x27, 0xfa, 0xa6, 0x94, 0xc0, 0x4b, 0xc5, + 0xf4, 0x0f, 0x93, 0x4d, 0x6d, 0xdf, 0xae, 0x2b, 0x26, 0xd8, 0x60, 0x88, 0x3e, 0xa3, 0xf3, 0x9f, + 0x79, 0xd2, 0xd3, 0x47, 0x8e, 0x64, 0x6c, 0x06, 0xc9, 0x7e, 0xc6, 0x30, 0xe6, 0x05, 0x5b, 0x74, + 0x9e, 0x88, 0x58, 0xcf, 0x37, 0xe7, 0x55, 0x06, 0x5b, 0x0e, 0x9d, 0x66, 0xdd, 0xf1, 0x9d, 0xc0, + 0x25, 0xd1, 0x12, 0x47, 0xd7, 0x1b, 0x23, 0xd1, 0x80, 0x25, 0xa1, 0x9e, 0xcb, 0x6b, 0x2b, 0x83, + 0x5c, 0x5e, 0x7b, 0xee, 0x3b, 0x61, 0xba, 0xe7, 0x63, 0x1e, 0x2a, 0xd9, 0x79, 0x88, 0x9a, 0x60, + 0xbf, 0x38, 0xaa, 0x95, 0xd6, 0x8d, 0xb0, 0xc9, 0xef, 0x42, 0x8d, 0xf4, 0x17, 0x15, 0xf6, 0x6b, + 0x81, 0x53, 0x44, 0xa9, 0x19, 0xa3, 0x11, 0x9b, 0x2c, 0xe9, 0x1c, 0x6d, 0x3b, 0x11, 0x09, 0x8e, + 0x7a, 0x8e, 0xae, 0x29, 0x26, 0xd8, 0x60, 0x88, 0xb6, 0x53, 0x59, 0x79, 0x97, 0x87, 0xcf, 0xca, + 0x63, 0xf5, 0x5a, 0xf3, 0xae, 0x0c, 0x7c, 0xdd, 0x82, 0xa9, 0x20, 0x35, 0x73, 0x8b, 0x09, 0xc0, + 0xcf, 0x5f, 0x15, 0xfc, 0x5a, 0xf1, 0x74, 0x1b, 0xce, 0xf0, 0xcf, 0x53, 0x69, 0x95, 0x43, 0xaa, + 0x34, 0x7d, 0x17, 0xf3, 0x68, 0xbf, 0xbb, 0x98, 0x51, 0xa0, 0x2e, 0xc9, 0x1f, 0x2b, 0xa2, 0xb6, + 0x49, 0xea, 0x86, 0x7c, 0xc8, 0xb9, 0x1d, 0xff, 0xb6, 0x99, 0xb4, 0x7b, 0xf8, 0xcb, 0xd2, 0x27, + 0xfb, 0x25, 0xf7, 0xda, 0xff, 0x67, 0x04, 0x4e, 0xca, 0x11, 0x91, 0xc9, 0x3b, 0x54, 0x3f, 0x72, + 0xbe, 0xda, 0x56, 0x56, 0xfa, 0xf1, 0xaa, 0x04, 0x60, 0x8d, 0x43, 0xed, 0xb1, 0x4e, 0x4c, 0x56, + 0xdb, 0x24, 0x58, 0xf6, 0x36, 0x62, 0x71, 0x60, 0xae, 0x16, 0xca, 0x4d, 0x0d, 0xc2, 0x26, 0x1e, + 0xcb, 0x2c, 0x76, 0xcd, 0xf2, 0x1e, 0x3a, 0xb3, 0x58, 0x18, 0xaa, 0x12, 0x8e, 0x7e, 0x2c, 0xf7, + 0xda, 0x92, 0x62, 0x52, 0x5f, 0x7b, 0x72, 0x96, 0x0e, 0x77, 0x5f, 0x09, 0xfa, 0x87, 0x16, 0x9c, + 0xe1, 0xad, 0x72, 0x24, 0x6f, 0xb6, 0x9b, 0x4e, 0x42, 0xe2, 0x62, 0xae, 0x9b, 0xcb, 0xe9, 0x9f, + 0xf6, 0x7b, 0xe7, 0xb1, 0xc5, 0xf9, 0xbd, 0x41, 0x5f, 0xb0, 0xe0, 0xc4, 0x4e, 0xaa, 0x3c, 0x97, + 0x54, 0x1d, 0xc3, 0xd6, 0xae, 0x49, 0x11, 0xd5, 0x4b, 0x2d, 0xdd, 0x1e, 0xe3, 0x2c, 0x77, 0xfb, + 0xcf, 0x2d, 0x30, 0xc5, 0xe8, 0xf1, 0x57, 0xf5, 0x3a, 0xbc, 0x29, 0x28, 0xad, 0xcb, 0x4a, 0x5f, + 0xeb, 0xf2, 0x19, 0x28, 0x77, 0xbc, 0xa6, 0xd8, 0x5f, 0xe8, 0x23, 0xfa, 0xa5, 0x45, 0x4c, 0xdb, + 0xed, 0xff, 0x57, 0xd1, 0x3e, 0x09, 0x91, 0x51, 0xfa, 0x97, 0xe2, 0xb5, 0x03, 0x55, 0xb6, 0x97, + 0xbf, 0xf9, 0xad, 0x9e, 0xb2, 0xbd, 0x8b, 0x0f, 0x9f, 0x38, 0xcc, 0x07, 0xaa, 0x5f, 0xd5, 0xde, + 0xb1, 0x03, 0xab, 0xf6, 0x56, 0xe9, 0x56, 0x8c, 0x39, 0x19, 0xab, 0xa9, 0xce, 0x55, 0xaf, 0x8a, + 0xf6, 0x07, 0x7b, 0xb3, 0xf5, 0x87, 0xef, 0x9e, 0xa4, 0x82, 0x15, 0x1f, 0xf4, 0x5d, 0x50, 0xa3, + 0xbf, 0x59, 0xa2, 0xb3, 0xd8, 0xec, 0xbd, 0xa2, 0x64, 0xa8, 0x04, 0x14, 0x9a, 0x4d, 0xad, 0xf9, + 0xa1, 0x5d, 0xa8, 0x51, 0x44, 0xce, 0x9c, 0xef, 0x0d, 0xdf, 0xab, 0xd2, 0x8e, 0x25, 0xe0, 0xc1, + 0xde, 0xec, 0xc2, 0xc3, 0x33, 0x57, 0x64, 0xb0, 0x66, 0x65, 0xa8, 0xce, 0xf1, 0x7e, 0xaa, 0xd3, + 0xfe, 0xbf, 0x23, 0x7a, 0xfe, 0x8b, 0x8a, 0xcf, 0x7f, 0x29, 0xe6, 0xff, 0x4b, 0x99, 0xf9, 0x7f, + 0xbe, 0x67, 0xfe, 0x4f, 0xd1, 0x31, 0xcb, 0xa9, 0x3f, 0x7d, 0xdc, 0xc6, 0xc4, 0xc1, 0x3e, 0x0b, + 0x66, 0x45, 0xbd, 0xda, 0xf1, 0x22, 0x12, 0xaf, 0x45, 0x9d, 0xc0, 0x0b, 0xb6, 0xd8, 0x14, 0xae, + 0x9a, 0x56, 0x54, 0x0a, 0x8c, 0xb3, 0xf8, 0xe8, 0x05, 0xa8, 0xd2, 0x79, 0x71, 0xdb, 0xd9, 0xe5, + 0x33, 0xd0, 0xa8, 0xb2, 0xd9, 0x10, 0xed, 0x58, 0x61, 0xa0, 0x6d, 0x78, 0x5a, 0x12, 0x58, 0x24, + 0x3e, 0xa1, 0x2f, 0xc4, 0x42, 0x13, 0xa3, 0x16, 0x4f, 0x1c, 0xe0, 0xd1, 0x25, 0xdf, 0x28, 0x28, + 0x3c, 0x8d, 0xf7, 0xc1, 0xc5, 0xfb, 0x52, 0xb2, 0xff, 0x80, 0x05, 0x23, 0x18, 0x75, 0x20, 0xe8, + 0xec, 0xf3, 0xbd, 0x96, 0x27, 0x8b, 0x81, 0xaa, 0xd9, 0xb7, 0x4c, 0x1b, 0x31, 0x87, 0xa1, 0xbb, + 0x30, 0xb6, 0xe1, 0xb8, 0x3b, 0xe1, 0xe6, 0x66, 0x31, 0x57, 0x79, 0xd5, 0x39, 0x31, 0x56, 0x08, + 0x7c, 0x4c, 0xfc, 0x79, 0xa0, 0x7f, 0x62, 0xc9, 0x8d, 0x5f, 0x23, 0xc1, 0x6e, 0x06, 0x17, 0x8e, + 0x3d, 0xe3, 0x1a, 0x09, 0x7e, 0x61, 0xb8, 0x84, 0xdb, 0xbf, 0x53, 0x81, 0x13, 0x32, 0xb6, 0xec, + 0xaa, 0x17, 0xb3, 0x70, 0x04, 0xf3, 0x42, 0x85, 0xd2, 0x81, 0x17, 0x2a, 0x7c, 0x08, 0xa0, 0x49, + 0xda, 0x7e, 0xd8, 0x65, 0x76, 0xe6, 0xc8, 0xa1, 0xed, 0x4c, 0xb5, 0x35, 0x59, 0x54, 0x54, 0xb0, + 0x41, 0x51, 0x14, 0x4b, 0xe5, 0xf7, 0x33, 0x64, 0x8a, 0xa5, 0x1a, 0x77, 0x03, 0x8e, 0x1e, 0xef, + 0xdd, 0x80, 0x1e, 0x9c, 0xe0, 0x5d, 0x54, 0x05, 0x19, 0x1e, 0xa2, 0xee, 0x02, 0x4b, 0x69, 0x5b, + 0x4c, 0x93, 0xc1, 0x59, 0xba, 0xe6, 0xc5, 0x7f, 0xd5, 0xe3, 0xbe, 0xf8, 0xef, 0xad, 0x50, 0x93, + 0xdf, 0x39, 0x9e, 0xa9, 0xe9, 0xa2, 0x41, 0x72, 0x1a, 0xc4, 0x58, 0xc3, 0x7b, 0x6a, 0xcc, 0xc0, + 0xa3, 0xaa, 0x31, 0x63, 0xbf, 0x5e, 0xa6, 0x1b, 0x14, 0xde, 0xaf, 0x43, 0xdf, 0x9b, 0x79, 0xd5, + 0xb8, 0x37, 0xf3, 0x70, 0xdf, 0xb3, 0x9a, 0xb9, 0x5f, 0xf3, 0x69, 0x18, 0x49, 0x9c, 0x2d, 0x99, + 0x81, 0xcb, 0xa0, 0xeb, 0xce, 0x56, 0x8c, 0x59, 0xeb, 0x61, 0x6a, 0x4b, 0xbf, 0x0c, 0x93, 0xb1, + 0xb7, 0x15, 0x38, 0x49, 0x27, 0x22, 0xc6, 0xb9, 0xa4, 0x8e, 0xd0, 0x31, 0x81, 0x38, 0x8d, 0x8b, + 0x3e, 0x69, 0x01, 0x44, 0x44, 0x6d, 0x7f, 0x46, 0x8b, 0x98, 0x43, 0x4a, 0x0c, 0x48, 0xba, 0x66, + 0x4d, 0x10, 0xb5, 0xed, 0x31, 0xd8, 0xda, 0x9f, 0xb6, 0x60, 0xba, 0xe7, 0x29, 0xd4, 0x86, 0x51, + 0x97, 0xdd, 0x6e, 0x5a, 0x4c, 0x3d, 0xcc, 0xf4, 0x4d, 0xa9, 0x5c, 0x8f, 0xf1, 0x36, 0x2c, 0xf8, + 0xd8, 0xbf, 0x34, 0x01, 0xa7, 0x1b, 0x0b, 0x2b, 0xf2, 0x56, 0xa4, 0x23, 0x4b, 0x29, 0xce, 0xe3, + 0x71, 0x7c, 0x29, 0xc5, 0x7d, 0xb8, 0xfb, 0x46, 0x4a, 0xb1, 0x6f, 0xa4, 0x14, 0xa7, 0xf3, 0x3b, + 0xcb, 0x45, 0xe4, 0x77, 0xe6, 0xf5, 0x60, 0x90, 0xfc, 0xce, 0x23, 0xcb, 0x31, 0xde, 0xb7, 0x43, + 0x87, 0xca, 0x31, 0x56, 0x09, 0xd8, 0x85, 0xa4, 0x93, 0xf5, 0xf9, 0x54, 0xb9, 0x09, 0xd8, 0x2a, + 0xf9, 0x95, 0xa7, 0x4a, 0x0a, 0xa5, 0xf7, 0x4a, 0xf1, 0x1d, 0x18, 0x20, 0xf9, 0x55, 0x64, 0x6b, + 0x9a, 0x09, 0xd7, 0x63, 0x45, 0x24, 0x5c, 0xe7, 0x75, 0xe7, 0xc0, 0x84, 0xeb, 0x97, 0x61, 0xd2, + 0xf5, 0xc3, 0x80, 0xac, 0x45, 0x61, 0x12, 0xba, 0xa1, 0xbc, 0xd7, 0x5e, 0x5f, 0x0b, 0x6a, 0x02, + 0x71, 0x1a, 0xb7, 0x5f, 0xb6, 0x76, 0x6d, 0xd8, 0x6c, 0x6d, 0x78, 0x44, 0xd9, 0xda, 0x46, 0x3e, + 0xf2, 0x78, 0x11, 0xf9, 0xc8, 0x79, 0x5f, 0x64, 0xa0, 0x7c, 0xe4, 0x2f, 0x5a, 0x30, 0xe9, 0xdc, + 0x65, 0xfb, 0x16, 0x2e, 0x85, 0xd9, 0x69, 0xdf, 0xf8, 0xc5, 0x0f, 0x1f, 0xc1, 0x84, 0xbd, 0xdd, + 0xd0, 0x6c, 0xea, 0xd3, 0x2c, 0x47, 0xc4, 0x6c, 0xc2, 0xe9, 0x8e, 0x0c, 0x93, 0xc3, 0xfc, 0xa5, + 0x12, 0x7c, 0xc3, 0x81, 0x5d, 0x40, 0x77, 0x01, 0x12, 0x67, 0x4b, 0x4c, 0x54, 0x71, 0x26, 0x36, + 0x64, 0x50, 0xf1, 0xba, 0xa4, 0x27, 0xf2, 0xeb, 0x14, 0x79, 0x6c, 0xb0, 0x62, 0xb1, 0xc4, 0xa1, + 0xdf, 0x53, 0xca, 0x1a, 0x87, 0x3e, 0xc1, 0x0c, 0x42, 0x0d, 0xa1, 0x88, 0x6c, 0x51, 0xe3, 0xbe, + 0x9c, 0x36, 0x84, 0x30, 0x6b, 0xc5, 0x02, 0x8a, 0x5e, 0x84, 0x71, 0xc7, 0xf7, 0x79, 0xae, 0x1f, + 0x89, 0xc5, 0x7d, 0xbd, 0xba, 0x80, 0xad, 0x06, 0x61, 0x13, 0xcf, 0xfe, 0xb3, 0x12, 0xcc, 0x1e, + 0x20, 0x53, 0x7a, 0x72, 0xbc, 0x2b, 0x03, 0xe7, 0x78, 0x8b, 0x5c, 0xa5, 0xd1, 0x3e, 0xb9, 0x4a, + 0x2f, 0xc2, 0x78, 0x42, 0x9c, 0x96, 0x08, 0x43, 0xcc, 0xd6, 0x65, 0x5c, 0xd7, 0x20, 0x6c, 0xe2, + 0x51, 0x29, 0x36, 0xe5, 0xb8, 0x2e, 0x89, 0x63, 0x99, 0x8c, 0x24, 0x1c, 0xe6, 0x85, 0x65, 0x3a, + 0xb1, 0x73, 0x88, 0xf9, 0x14, 0x0b, 0x9c, 0x61, 0x99, 0x1d, 0xf0, 0xda, 0x80, 0x03, 0xfe, 0x13, + 0x25, 0x78, 0x66, 0x5f, 0xed, 0x36, 0x70, 0x9e, 0x58, 0x27, 0x26, 0x51, 0x76, 0xe2, 0xdc, 0x8c, + 0x49, 0x84, 0x19, 0x84, 0x8f, 0x52, 0xbb, 0xad, 0x42, 0xc8, 0x8b, 0x4f, 0xac, 0xe4, 0xa3, 0x94, + 0x62, 0x81, 0x33, 0x2c, 0x1f, 0x76, 0x5a, 0xfe, 0xce, 0x08, 0x3c, 0x37, 0x80, 0x0d, 0x50, 0x60, + 0x02, 0x6a, 0x3a, 0xb9, 0xba, 0xfc, 0x88, 0x92, 0xab, 0x1f, 0x6e, 0xb8, 0xde, 0xc8, 0xc9, 0x1e, + 0x28, 0xd1, 0xf5, 0xa7, 0x4a, 0x70, 0xae, 0xbf, 0xc1, 0x82, 0xbe, 0x03, 0x4e, 0x44, 0x2a, 0xd4, + 0xd0, 0xcc, 0xcb, 0x3e, 0xc5, 0xdd, 0x61, 0x29, 0x10, 0xce, 0xe2, 0xa2, 0x39, 0x80, 0xb6, 0x93, + 0x6c, 0xc7, 0x97, 0xee, 0x79, 0x71, 0x22, 0x0a, 0xd9, 0x4d, 0xf1, 0x43, 0x5c, 0xd9, 0x8a, 0x0d, + 0x0c, 0xca, 0x8e, 0xfd, 0x5b, 0x0c, 0x6f, 0x84, 0x09, 0x7f, 0x88, 0x6f, 0x3d, 0x4f, 0xc9, 0x6b, + 0x20, 0x0d, 0x10, 0xce, 0xe2, 0x52, 0x76, 0x2c, 0x4c, 0x80, 0x77, 0x74, 0x44, 0x67, 0x72, 0x2f, + 0xab, 0x56, 0x6c, 0x60, 0x64, 0x33, 0xce, 0x2b, 0x07, 0x67, 0x9c, 0xdb, 0xff, 0xa2, 0x04, 0x67, + 0xfb, 0x1a, 0xbc, 0x83, 0x89, 0xa9, 0xc7, 0x2f, 0xeb, 0xfb, 0x21, 0x57, 0xd8, 0xa1, 0xb2, 0x85, + 0xed, 0x3f, 0xea, 0x33, 0xd3, 0x44, 0x26, 0xf0, 0xc3, 0x17, 0x4d, 0x79, 0xfc, 0xc6, 0xb3, 0x27, + 0xf9, 0x77, 0xe4, 0x10, 0xc9, 0xbf, 0x99, 0x8f, 0x51, 0x19, 0x50, 0x3b, 0xfc, 0x97, 0x91, 0xbe, + 0xc3, 0x4b, 0x37, 0xc8, 0x03, 0x1d, 0x36, 0x2c, 0xc2, 0x49, 0x2f, 0x60, 0x17, 0xfb, 0x36, 0x3a, + 0x1b, 0xa2, 0xb6, 0x19, 0x2f, 0xe4, 0xab, 0x52, 0x6f, 0x96, 0x32, 0x70, 0xdc, 0xf3, 0xc4, 0x63, + 0x98, 0x8c, 0xfd, 0x70, 0x43, 0x7a, 0x48, 0xc9, 0xbd, 0x0a, 0x67, 0xe4, 0x50, 0x6c, 0x3b, 0x11, + 0x69, 0x0a, 0x65, 0x1b, 0x8b, 0x64, 0xab, 0xb3, 0x3c, 0x61, 0x2b, 0x07, 0x01, 0xe7, 0x3f, 0xc7, + 0x6e, 0x61, 0x0d, 0xdb, 0x9e, 0x2b, 0xb6, 0x82, 0xfa, 0x16, 0x56, 0xda, 0x88, 0x39, 0x4c, 0xeb, + 0x8b, 0xda, 0xf1, 0xe8, 0x8b, 0x0f, 0x41, 0x4d, 0x8d, 0x37, 0xcf, 0x95, 0x50, 0x93, 0xbc, 0x27, + 0x57, 0x42, 0xcd, 0x70, 0x03, 0x8b, 0xce, 0x0e, 0xba, 0x51, 0xc9, 0xac, 0x56, 0xca, 0x8f, 0xb6, + 0xdb, 0xef, 0x80, 0x09, 0xe5, 0x0b, 0x1c, 0xf4, 0x2e, 0x5c, 0xfb, 0x2f, 0x4a, 0x90, 0xb9, 0xee, + 0x0d, 0xdd, 0x83, 0x5a, 0x33, 0xea, 0xf2, 0xc6, 0x62, 0x0a, 0x49, 0x2f, 0x4a, 0x72, 0xfa, 0xcc, + 0x4c, 0x35, 0x61, 0xcd, 0x0c, 0x7d, 0x94, 0xd7, 0x6a, 0x16, 0xac, 0x4b, 0x45, 0x24, 0xe4, 0x37, + 0x14, 0x3d, 0xf3, 0x92, 0x4b, 0xd9, 0x86, 0x0d, 0x7e, 0x28, 0x81, 0xda, 0xb6, 0xbc, 0xd6, 0xae, + 0x18, 0x71, 0xa7, 0x6e, 0xc9, 0xe3, 0x26, 0x9a, 0xfa, 0x8b, 0x35, 0x23, 0xfb, 0x0f, 0x4b, 0x70, + 0x3a, 0xfd, 0x01, 0xc4, 0x19, 0xe7, 0x4f, 0x5b, 0xf0, 0xa4, 0xef, 0xc4, 0x49, 0xa3, 0xc3, 0x36, + 0x0a, 0x9b, 0x1d, 0x7f, 0x35, 0x53, 0xde, 0x7b, 0x58, 0x67, 0x8b, 0x22, 0x9c, 0xbd, 0x06, 0xb1, + 0xfe, 0xd4, 0xfd, 0xbd, 0xd9, 0x27, 0x97, 0xf3, 0x99, 0xe3, 0x7e, 0xbd, 0x42, 0xaf, 0x5b, 0x70, + 0xd2, 0xed, 0x44, 0x11, 0x09, 0x12, 0xdd, 0x55, 0xfe, 0x15, 0x6f, 0x14, 0x32, 0x90, 0xba, 0x83, + 0xa7, 0xa9, 0x40, 0x5d, 0xc8, 0xf0, 0xc2, 0x3d, 0xdc, 0xed, 0x1f, 0xa4, 0x9a, 0xb3, 0xef, 0x7b, + 0xfe, 0x15, 0xbb, 0xb7, 0xf1, 0x4f, 0x46, 0x61, 0x32, 0x55, 0xbb, 0x3c, 0x75, 0xd8, 0x67, 0x1d, + 0x78, 0xd8, 0xc7, 0xd2, 0x03, 0x3b, 0x81, 0xbc, 0xda, 0xde, 0x48, 0x0f, 0xec, 0x04, 0x04, 0x73, + 0x98, 0x18, 0x52, 0xdc, 0x09, 0xc4, 0xe9, 0xa3, 0x39, 0xa4, 0xb8, 0x13, 0x60, 0x01, 0x45, 0x1f, + 0xb7, 0x60, 0x82, 0x2d, 0x3e, 0x71, 0xaa, 0x2a, 0x14, 0xda, 0xb5, 0x02, 0x96, 0xbb, 0xac, 0xd7, + 0xcf, 0xc2, 0x50, 0xcd, 0x16, 0x9c, 0xe2, 0x88, 0x3e, 0x65, 0x41, 0x4d, 0xdd, 0x9f, 0x2b, 0xce, + 0x46, 0x1a, 0xc5, 0x96, 0x86, 0xcf, 0x48, 0x3d, 0x55, 0xa3, 0x1b, 0x6b, 0xc6, 0x28, 0x56, 0xe7, + 0x98, 0x63, 0x47, 0x73, 0x8e, 0x09, 0x39, 0x67, 0x98, 0x6f, 0x85, 0x5a, 0xcb, 0x09, 0xbc, 0x4d, + 0x12, 0x27, 0xfc, 0x68, 0x51, 0xde, 0x08, 0x22, 0x1b, 0xb1, 0x86, 0x53, 0x63, 0x3f, 0x66, 0x2f, + 0x96, 0x18, 0x67, 0x81, 0xcc, 0xd8, 0x6f, 0xe8, 0x66, 0x6c, 0xe2, 0x98, 0x07, 0x97, 0xf0, 0x48, + 0x0f, 0x2e, 0xc7, 0x0f, 0x38, 0xb8, 0x6c, 0xc0, 0x19, 0xa7, 0x93, 0x84, 0x57, 0x89, 0xe3, 0xcf, + 0x27, 0x09, 0x69, 0xb5, 0x93, 0x98, 0x97, 0xbb, 0x9f, 0x60, 0x2e, 0x60, 0x15, 0x38, 0xd7, 0x20, + 0xfe, 0x66, 0x0f, 0x12, 0xce, 0x7f, 0xd6, 0xfe, 0x67, 0x16, 0x9c, 0xc9, 0x9d, 0x0a, 0x8f, 0x6f, + 0xca, 0x82, 0xfd, 0x23, 0x15, 0x38, 0x95, 0x73, 0xb3, 0x01, 0xea, 0x9a, 0x8b, 0xc4, 0x2a, 0x22, + 0xfa, 0x2f, 0x1d, 0xcc, 0x26, 0xbf, 0x4d, 0xce, 0xca, 0x38, 0x5c, 0x2c, 0x82, 0x8e, 0x07, 0x28, + 0x1f, 0x6f, 0x3c, 0x80, 0x31, 0xd7, 0x47, 0x1e, 0xe9, 0x5c, 0xaf, 0x1c, 0x30, 0xd7, 0x7f, 0xc6, + 0x82, 0x99, 0x56, 0x9f, 0xeb, 0xca, 0xc4, 0x79, 0xd2, 0xad, 0xa3, 0xb9, 0x0c, 0xad, 0xfe, 0xf4, + 0xfd, 0xbd, 0xd9, 0xbe, 0xb7, 0xc4, 0xe1, 0xbe, 0xbd, 0xb2, 0xbf, 0x5a, 0x06, 0x66, 0xaf, 0xb1, + 0xea, 0xd5, 0x5d, 0xf4, 0x31, 0xf3, 0xa2, 0x14, 0xab, 0xa8, 0xcb, 0x3c, 0x38, 0x71, 0x75, 0xd1, + 0x0a, 0x1f, 0xc1, 0xbc, 0x7b, 0x57, 0xb2, 0x92, 0xb0, 0x34, 0x80, 0x24, 0xf4, 0xe5, 0x8d, 0x34, + 0xe5, 0xe2, 0x6f, 0xa4, 0xa9, 0x65, 0x6f, 0xa3, 0xd9, 0xff, 0x13, 0x8f, 0x3c, 0x96, 0x9f, 0xf8, + 0x57, 0x2c, 0x2e, 0x78, 0x32, 0x5f, 0x41, 0x9b, 0x1b, 0xd6, 0x3e, 0xe6, 0xc6, 0x0b, 0x50, 0x8d, + 0x85, 0x64, 0x16, 0x66, 0x89, 0x8e, 0x1a, 0x13, 0xed, 0x58, 0x61, 0xd0, 0x5d, 0x97, 0xe3, 0xfb, + 0xe1, 0xdd, 0x4b, 0xad, 0x76, 0xd2, 0x15, 0x06, 0x8a, 0xda, 0x16, 0xcc, 0x2b, 0x08, 0x36, 0xb0, + 0xd0, 0x37, 0xc1, 0x18, 0x2f, 0x33, 0xd1, 0x14, 0xde, 0x9d, 0x71, 0xba, 0x10, 0x79, 0x11, 0x8a, + 0x26, 0x96, 0x30, 0x7b, 0x1b, 0x8c, 0x7d, 0xc5, 0xc3, 0xdf, 0x8a, 0x7d, 0xf0, 0x45, 0x97, 0xf6, + 0xdf, 0x2f, 0x09, 0x56, 0x7c, 0x9f, 0xa0, 0xc3, 0x08, 0xad, 0x43, 0x86, 0x11, 0x7e, 0x14, 0xc0, + 0x0d, 0x5b, 0x6d, 0xba, 0x73, 0x5e, 0x0f, 0x8b, 0xd9, 0x6e, 0x2d, 0x28, 0x7a, 0x7a, 0x5c, 0x75, + 0x1b, 0x36, 0xf8, 0xa5, 0x84, 0x7b, 0xf9, 0x40, 0xe1, 0x9e, 0x92, 0x73, 0x23, 0xfb, 0xcb, 0x39, + 0xfb, 0xcf, 0x2c, 0x48, 0xd9, 0x7d, 0xa8, 0x0d, 0x15, 0xda, 0xdd, 0xae, 0x10, 0x19, 0xab, 0xc5, + 0x19, 0x99, 0x54, 0x56, 0x8b, 0x75, 0xc8, 0x7e, 0x62, 0xce, 0x08, 0xf9, 0x22, 0x64, 0xb2, 0x90, + 0xed, 0x8f, 0xc9, 0xf0, 0x6a, 0x18, 0xee, 0xf0, 0x70, 0x22, 0x1d, 0x7e, 0x69, 0xbf, 0x04, 0xd3, + 0x3d, 0x9d, 0x62, 0x37, 0x69, 0x87, 0x72, 0x0f, 0x6f, 0xac, 0x1f, 0x56, 0xef, 0x01, 0x73, 0x98, + 0xfd, 0x53, 0x16, 0x9c, 0xcc, 0x92, 0x47, 0x5f, 0xb4, 0x60, 0x3a, 0xce, 0xd2, 0x3b, 0xaa, 0xb1, + 0x53, 0xa9, 0x13, 0x3d, 0x20, 0xdc, 0xdb, 0x09, 0xfb, 0xbf, 0x0b, 0x7d, 0x70, 0xdb, 0x0b, 0x9a, + 0xe1, 0x5d, 0x65, 0x29, 0x59, 0x7d, 0x2d, 0x25, 0x2a, 0x20, 0xdc, 0x6d, 0xd2, 0xec, 0xf8, 0x3d, + 0x05, 0x26, 0x1a, 0xa2, 0x1d, 0x2b, 0x0c, 0x96, 0x4f, 0xdf, 0x11, 0x3b, 0xd7, 0xcc, 0xa4, 0x5c, + 0x14, 0xed, 0x58, 0x61, 0xa0, 0x77, 0xc2, 0x84, 0xf1, 0x92, 0x72, 0x5e, 0xb2, 0x6d, 0x87, 0xa1, + 0xc3, 0x63, 0x9c, 0xc2, 0x42, 0x73, 0x00, 0xca, 0xea, 0x92, 0x3a, 0x9b, 0xb9, 0xda, 0x95, 0x68, + 0x8c, 0xb1, 0x81, 0xc1, 0xaa, 0x57, 0xf8, 0x9d, 0x98, 0x9d, 0x25, 0x8f, 0xea, 0xfb, 0x1c, 0x16, + 0x44, 0x1b, 0x56, 0x50, 0x2a, 0xde, 0x5a, 0x4e, 0xd0, 0x71, 0x7c, 0x3a, 0x42, 0xc2, 0x79, 0xa6, + 0x96, 0xe1, 0x8a, 0x82, 0x60, 0x03, 0x8b, 0xbe, 0x71, 0xe2, 0xb5, 0xc8, 0xfb, 0xc3, 0x40, 0x86, + 0xba, 0xeb, 0xf0, 0x02, 0xd1, 0x8e, 0x15, 0x06, 0x7a, 0x09, 0xc6, 0x9d, 0xa0, 0xc9, 0x4d, 0xc4, + 0x30, 0x12, 0xa7, 0x94, 0x6a, 0xff, 0x79, 0x33, 0x26, 0xf3, 0x1a, 0x8a, 0x4d, 0xd4, 0xec, 0x65, + 0x16, 0x30, 0xe0, 0xa5, 0x79, 0x7f, 0x6a, 0xc1, 0x09, 0x5d, 0xb3, 0x88, 0xf9, 0xd8, 0x52, 0xce, + 0x45, 0xeb, 0x40, 0xe7, 0x62, 0xba, 0x2a, 0x49, 0x69, 0xa0, 0xaa, 0x24, 0x66, 0xc1, 0x90, 0xf2, + 0xbe, 0x05, 0x43, 0xbe, 0x09, 0xc6, 0x76, 0x48, 0xd7, 0xa8, 0x2c, 0xc2, 0xb4, 0xc3, 0x75, 0xde, + 0x84, 0x25, 0x0c, 0xd9, 0x30, 0xea, 0x3a, 0xaa, 0x84, 0xe1, 0x84, 0x88, 0x4e, 0x9b, 0x67, 0x48, + 0x02, 0x62, 0xaf, 0x42, 0x4d, 0x1d, 0xeb, 0x4b, 0x5f, 0x9f, 0x95, 0xef, 0xeb, 0x1b, 0xe8, 0xfa, + 0xfd, 0xfa, 0xc6, 0xaf, 0x7f, 0xed, 0xd9, 0x37, 0xfd, 0xf6, 0xd7, 0x9e, 0x7d, 0xd3, 0x1f, 0x7c, + 0xed, 0xd9, 0x37, 0x7d, 0xfc, 0xfe, 0xb3, 0xd6, 0xaf, 0xdf, 0x7f, 0xd6, 0xfa, 0xed, 0xfb, 0xcf, + 0x5a, 0x7f, 0x70, 0xff, 0x59, 0xeb, 0xab, 0xf7, 0x9f, 0xb5, 0x5e, 0xff, 0xcf, 0xcf, 0xbe, 0xe9, + 0xfd, 0xdf, 0xbe, 0x5f, 0x48, 0xff, 0xee, 0x3b, 0x58, 0x1c, 0x3f, 0x5d, 0xcf, 0x17, 0x8c, 0x49, + 0x7c, 0x41, 0xae, 0xe7, 0xff, 0x1f, 0x00, 0x00, 0xff, 0xff, 0x0a, 0x65, 0x59, 0x12, 0xc0, 0x04, + 0x01, 0x00, } func (m *AWSAuthConfig) Marshal() (dAtA []byte, err error) { @@ -23204,7 +23204,7 @@ func (m *AppHealthStatus) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.Status = github_com_argoproj_gitops_engine_pkg_health.HealthStatusCode(dAtA[iNdEx:postIndex]) + m.Status = github_com_argoproj_argo_cd_gitops_engine_pkg_health.HealthStatusCode(dAtA[iNdEx:postIndex]) iNdEx = postIndex case 2: if wireType != 2 { @@ -37972,7 +37972,7 @@ func (m *HealthStatus) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.Status = github_com_argoproj_gitops_engine_pkg_health.HealthStatusCode(dAtA[iNdEx:postIndex]) + m.Status = github_com_argoproj_argo_cd_gitops_engine_pkg_health.HealthStatusCode(dAtA[iNdEx:postIndex]) iNdEx = postIndex case 2: if wireType != 2 { @@ -42537,7 +42537,7 @@ func (m *OperationState) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.Phase = github_com_argoproj_gitops_engine_pkg_sync_common.OperationPhase(dAtA[iNdEx:postIndex]) + m.Phase = github_com_argoproj_argo_cd_gitops_engine_pkg_sync_common.OperationPhase(dAtA[iNdEx:postIndex]) iNdEx = postIndex case 3: if wireType != 2 { @@ -50990,7 +50990,7 @@ func (m *ResourceResult) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.Status = github_com_argoproj_gitops_engine_pkg_sync_common.ResultCode(dAtA[iNdEx:postIndex]) + m.Status = github_com_argoproj_argo_cd_gitops_engine_pkg_sync_common.ResultCode(dAtA[iNdEx:postIndex]) iNdEx = postIndex case 7: if wireType != 2 { @@ -51054,7 +51054,7 @@ func (m *ResourceResult) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.HookType = github_com_argoproj_gitops_engine_pkg_sync_common.HookType(dAtA[iNdEx:postIndex]) + m.HookType = github_com_argoproj_argo_cd_gitops_engine_pkg_sync_common.HookType(dAtA[iNdEx:postIndex]) iNdEx = postIndex case 9: if wireType != 2 { @@ -51086,7 +51086,7 @@ func (m *ResourceResult) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.HookPhase = github_com_argoproj_gitops_engine_pkg_sync_common.OperationPhase(dAtA[iNdEx:postIndex]) + m.HookPhase = github_com_argoproj_argo_cd_gitops_engine_pkg_sync_common.OperationPhase(dAtA[iNdEx:postIndex]) iNdEx = postIndex case 10: if wireType != 2 { @@ -51118,7 +51118,7 @@ func (m *ResourceResult) Unmarshal(dAtA []byte) error { if postIndex > l { return io.ErrUnexpectedEOF } - m.SyncPhase = github_com_argoproj_gitops_engine_pkg_sync_common.SyncPhase(dAtA[iNdEx:postIndex]) + m.SyncPhase = github_com_argoproj_argo_cd_gitops_engine_pkg_sync_common.SyncPhase(dAtA[iNdEx:postIndex]) iNdEx = postIndex case 11: if wireType != 2 { diff --git a/pkg/apis/application/v1alpha1/generated.proto b/pkg/apis/application/v1alpha1/generated.proto index 4559d9a1b2..522b9b4fb7 100644 --- a/pkg/apis/application/v1alpha1/generated.proto +++ b/pkg/apis/application/v1alpha1/generated.proto @@ -575,10 +575,10 @@ message ApplicationSourceJsonnet { // ApplicationSourceKustomize holds options specific to an Application source specific to Kustomize message ApplicationSourceKustomize { - // NamePrefix is a prefix appended to resources for Kustomize apps + // NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps optional string namePrefix = 1; - // NameSuffix is a suffix appended to resources for Kustomize apps + // NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps optional string nameSuffix = 2; // Images is a list of Kustomize image override specifications @@ -714,6 +714,7 @@ message ApplicationStatus { optional OperationState operationState = 7; // ObservedAt indicates when the application state was updated without querying latest git state + // // Deprecated: controller no longer updates ObservedAt field optional .k8s.io.apimachinery.pkg.apis.meta.v1.Time observedAt = 8; @@ -2059,6 +2060,7 @@ message ResourceDiff { optional string liveState = 6; // Diff contains the JSON patch representing the difference between the live and target resource. + // // Deprecated: Use NormalizedLiveState and PredictedLiveState instead to compute differences. optional string diff = 7; diff --git a/pkg/apis/application/v1alpha1/repository_types.go b/pkg/apis/application/v1alpha1/repository_types.go index 8366064a18..ccc2111d65 100644 --- a/pkg/apis/application/v1alpha1/repository_types.go +++ b/pkg/apis/application/v1alpha1/repository_types.go @@ -1,11 +1,9 @@ package v1alpha1 import ( - "context" "fmt" "net/url" "strings" - "time" "github.com/argoproj/argo-cd/v3/util/oci" @@ -242,32 +240,7 @@ func (repo *Repository) GetGitCreds(store git.CredsStore) git.Creds { return git.NewSSHCreds(repo.SSHPrivateKey, getCAPath(repo.Repo), repo.IsInsecure(), repo.Proxy) } if repo.GithubAppPrivateKey != "" && repo.GithubAppId != 0 { // Promoter MVP: remove github-app-installation-id check since it is no longer a required field - installationId := repo.GithubAppInstallationId - - // Auto-discover installation ID if not provided - if installationId == 0 { - org, err := git.ExtractOrgFromRepoURL(repo.Repo) - if err != nil { - log.Warnf("Failed to extract organization from repository URL %s for GitHub App auto-discovery: %v", repo.Repo, err) - return git.NopCreds{} - } - if org != "" { - ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second) - defer cancel() - - discoveredId, err := git.DiscoverGitHubAppInstallationID(ctx, repo.GithubAppId, repo.GithubAppPrivateKey, repo.GitHubAppEnterpriseBaseURL, org) - if err != nil { - log.Warnf("Failed to auto-discover GitHub App installation ID for org %s: %v. Proceeding with installation ID 0.", org, err) - } else { - log.Infof("Auto-discovered GitHub App installation ID %d for org %s", discoveredId, org) - installationId = discoveredId - } - } else { - log.Warnf("Could not extract organization from repository URL %s for GitHub App auto-discovery", repo.Repo) - } - } - - return git.NewGitHubAppCreds(repo.GithubAppId, installationId, repo.GithubAppPrivateKey, repo.GitHubAppEnterpriseBaseURL, repo.TLSClientCertData, repo.TLSClientCertKey, repo.IsInsecure(), repo.Proxy, repo.NoProxy, store) + return git.NewGitHubAppCreds(repo.GithubAppId, repo.GithubAppInstallationId, repo.GithubAppPrivateKey, repo.GitHubAppEnterpriseBaseURL, repo.TLSClientCertData, repo.TLSClientCertKey, repo.IsInsecure(), repo.Proxy, repo.NoProxy, store, repo.Repo) } if repo.GCPServiceAccountKey != "" { return git.NewGoogleCloudCreds(repo.GCPServiceAccountKey, store) diff --git a/pkg/apis/application/v1alpha1/repository_types_test.go b/pkg/apis/application/v1alpha1/repository_types_test.go index 4774fa5a18..f84847d39a 100644 --- a/pkg/apis/application/v1alpha1/repository_types_test.go +++ b/pkg/apis/application/v1alpha1/repository_types_test.go @@ -73,11 +73,12 @@ func TestGetGitCreds(t *testing.T) { { name: "GitHub App credentials", repo: &Repository{ + Repo: "https://github.com/argoproj/argo-cd", GithubAppPrivateKey: "github-key", GithubAppId: 123, GithubAppInstallationId: 456, }, - expected: git.NewGitHubAppCreds(123, 456, "github-key", "", "", "", false, "", "", nil), + expected: git.NewGitHubAppCreds(123, 456, "github-key", "", "", "", false, "", "", nil, "https://github.com/argoproj/argo-cd"), }, { name: "Google Cloud credentials", @@ -100,3 +101,53 @@ func TestGetGitCreds(t *testing.T) { }) } } + +func TestGetGitCreds_GitHubApp_InstallationNotFound(t *testing.T) { + // This test verifies that when GitHub App credentials are provided but the installation + // cannot be discovered (e.g., non-existent org), the error is raised when the credentials + // are used (lazily), providing a clear error message. + repo := &Repository{ + Repo: "https://github.com/nonexistent-org-12345/repo.git", + GithubAppPrivateKey: "github-key", + GithubAppId: 123, + // GithubAppInstallationId is 0 (not set), triggering auto-discovery + } + + creds := repo.GetGitCreds(nil) + + // We should get GitHubAppCreds + ghAppCreds, isGitHubAppCreds := creds.(git.GitHubAppCreds) + require.True(t, isGitHubAppCreds, "expected GitHubAppCreds, got %T", creds) + + // When we try to use these credentials, we should get a clear error about installation discovery failure + _, _, err := ghAppCreds.Environ() + + require.Error(t, err) + assert.Contains(t, err.Error(), "failed to discover GitHub App installation ID") + assert.Contains(t, err.Error(), "nonexistent-org-12345") + assert.Contains(t, err.Error(), "ID: 123") +} + +func TestGetGitCreds_GitHubApp_OrgExtractionFails(t *testing.T) { + // This test verifies that when the organization cannot be extracted from the repo URL, + // the credentials are still created but will provide a clear error when used. + repo := &Repository{ + Repo: "invalid-url-format", + GithubAppPrivateKey: "github-key", + GithubAppId: 123, + // GithubAppInstallationId is 0 (not set), triggering auto-discovery + } + + creds := repo.GetGitCreds(nil) + + // We should get GitHubAppCreds + ghAppCreds, isGitHubAppCreds := creds.(git.GitHubAppCreds) + require.True(t, isGitHubAppCreds, "expected GitHubAppCreds, got %T", creds) + + // When we try to use these credentials, we should get a clear error about org extraction failure + _, _, err := ghAppCreds.Environ() + + require.Error(t, err) + assert.Contains(t, err.Error(), "failed to extract organization") + assert.Contains(t, err.Error(), "invalid-url-format") +} diff --git a/pkg/apis/application/v1alpha1/types.go b/pkg/apis/application/v1alpha1/types.go index 7d3712b259..72d1ad20ac 100644 --- a/pkg/apis/application/v1alpha1/types.go +++ b/pkg/apis/application/v1alpha1/types.go @@ -15,15 +15,16 @@ import ( "path/filepath" "reflect" "regexp" + "slices" "sort" "strconv" "strings" "time" "unicode" - "github.com/argoproj/gitops-engine/pkg/health" - synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + synccommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/cespare/xxhash/v2" "github.com/robfig/cron/v3" log "github.com/sirupsen/logrus" @@ -684,9 +685,9 @@ func (images KustomizeImages) Find(image KustomizeImage) int { // ApplicationSourceKustomize holds options specific to an Application source specific to Kustomize type ApplicationSourceKustomize struct { - // NamePrefix is a prefix appended to resources for Kustomize apps + // NamePrefix overrides the namePrefix in the kustomization.yaml for Kustomize apps NamePrefix string `json:"namePrefix,omitempty" protobuf:"bytes,1,opt,name=namePrefix"` - // NameSuffix is a suffix appended to resources for Kustomize apps + // NameSuffix overrides the nameSuffix in the kustomization.yaml for Kustomize apps NameSuffix string `json:"nameSuffix,omitempty" protobuf:"bytes,2,opt,name=nameSuffix"` // Images is a list of Kustomize image override specifications Images KustomizeImages `json:"images,omitempty" protobuf:"bytes,3,opt,name=images"` @@ -1192,6 +1193,7 @@ type ApplicationStatus struct { // OperationState contains information about any ongoing operations, such as a sync OperationState *OperationState `json:"operationState,omitempty" protobuf:"bytes,7,opt,name=operationState"` // ObservedAt indicates when the application state was updated without querying latest git state + // // Deprecated: controller no longer updates ObservedAt field ObservedAt *metav1.Time `json:"observedAt,omitempty" protobuf:"bytes,8,opt,name=observedAt"` // SourceType specifies the type of this application @@ -1437,10 +1439,8 @@ type SyncOptions []string // AddOption adds a sync option to the list of sync options and returns the modified list. // If option was already set, returns the unmodified list of sync options. func (o SyncOptions) AddOption(option string) SyncOptions { - for _, j := range o { - if j == option { - return o - } + if slices.Contains(o, option) { + return o } return append(o, option) } @@ -1458,12 +1458,7 @@ func (o SyncOptions) RemoveOption(option string) SyncOptions { // HasOption returns true if the list of sync options contains given option func (o SyncOptions) HasOption(option string) bool { - for _, i := range o { - if option == i { - return true - } - } - return false + return slices.Contains(o, option) } type ManagedNamespaceMetadata struct { @@ -2197,6 +2192,7 @@ type ResourceDiff struct { // LiveState contains the JSON-serialized resource manifest of the resource currently running in the cluster. LiveState string `json:"liveState,omitempty" protobuf:"bytes,6,opt,name=liveState"` // Diff contains the JSON patch representing the difference between the live and target resource. + // // Deprecated: Use NormalizedLiveState and PredictedLiveState instead to compute differences. Diff string `json:"diff,omitempty" protobuf:"bytes,7,opt,name=diff"` // Hook indicates whether this resource is a hook resource (e.g., pre-sync or post-sync hooks). @@ -2298,8 +2294,14 @@ func (c *Cluster) Sanitized() *Cluster { ProxyUrl: c.Config.ProxyUrl, DisableCompression: c.Config.DisableCompression, TLSClientConfig: TLSClientConfig{ - Insecure: c.Config.Insecure, + Insecure: c.Config.Insecure, + ServerName: c.Config.ServerName, }, + // We can't know what the user has put into args or + // env vars on the exec provider that might be sensitive + // (e.g. --private-key=XXX, PASSWORD=XXX) + // Implicitly assumes the command executable name is non-sensitive + ExecProviderConfig: nil, }, } } @@ -3315,12 +3317,7 @@ type ApplicationDestinationServiceAccount struct { // CascadedDeletion indicates if the deletion finalizer is set and controller should delete the application and it's cascaded resources func (app *Application) CascadedDeletion() bool { - for _, finalizer := range app.Finalizers { - if isPropagationPolicyFinalizer(finalizer) { - return true - } - } - return false + return slices.ContainsFunc(app.Finalizers, isPropagationPolicyFinalizer) } // IsRefreshRequested returns whether a refresh has been requested for an application, and if yes, the type of refresh that should be executed. diff --git a/pkg/apis/application/v1alpha1/types_test.go b/pkg/apis/application/v1alpha1/types_test.go index 50b11066b5..9b03b6e350 100644 --- a/pkg/apis/application/v1alpha1/types_test.go +++ b/pkg/apis/application/v1alpha1/types_test.go @@ -14,7 +14,7 @@ import ( argocdcommon "github.com/argoproj/argo-cd/v3/common" - "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -226,7 +226,6 @@ func TestAppProject_IsDestinationPermitted(t *testing.T) { } for _, data := range testData { - data := data t.Run(data.name, func(t *testing.T) { t.Parallel() @@ -4892,10 +4891,16 @@ func TestSanitized(t *testing.T) { Password: "password123", BearerToken: "abc", TLSClientConfig: TLSClientConfig{ - Insecure: true, + Insecure: true, + ServerName: "server", + CertData: []byte("random bytes we don't want to show in the API response"), + KeyData: []byte("random bytes we don't want to show in the API response"), + CAData: []byte("random bytes we don't want to show in the API response"), }, ExecProviderConfig: &ExecProviderConfig{ - Command: "test", + Command: "this should be omitted in API", + Args: []string{"this should be omitted in API"}, + APIVersion: "this should be omitted in API", }, }, } @@ -4921,7 +4926,8 @@ func TestSanitized(t *testing.T) { Annotations: map[string]string{"annotation-key": "annotation-value"}, Config: ClusterConfig{ TLSClientConfig: TLSClientConfig{ - Insecure: true, + Insecure: true, + ServerName: "server", }, }, }, cluster.Sanitized()) diff --git a/renovate-presets/devtool.json5 b/renovate-presets/devtool.json5 index ed2fe194c8..8a933a72d6 100644 --- a/renovate-presets/devtool.json5 +++ b/renovate-presets/devtool.json5 @@ -16,7 +16,7 @@ "go" ], "matchPackageNames": [ - "github.com/golangci/golangci-lint", + "github.com/golangci/golangci-lint/v2", "github.com/vektra/mockery/v3" ], "enabled": true diff --git a/reposerver/apiclient/repository.pb.go b/reposerver/apiclient/repository.pb.go index a71e9fe6ef..45bc012f6a 100644 --- a/reposerver/apiclient/repository.pb.go +++ b/reposerver/apiclient/repository.pb.go @@ -2227,6 +2227,7 @@ type UpdateRevisionForPathsRequest struct { Paths []string `protobuf:"bytes,13,rep,name=paths,proto3" json:"paths,omitempty"` NoRevisionCache bool `protobuf:"varint,14,opt,name=noRevisionCache,proto3" json:"noRevisionCache,omitempty"` InstallationID string `protobuf:"bytes,15,opt,name=installationID,proto3" json:"installationID,omitempty"` + SyncedRefSources map[string]*v1alpha1.RefTarget `protobuf:"bytes,16,rep,name=syncedRefSources,proto3" json:"syncedRefSources,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` @@ -2370,6 +2371,13 @@ func (m *UpdateRevisionForPathsRequest) GetInstallationID() string { return "" } +func (m *UpdateRevisionForPathsRequest) GetSyncedRefSources() map[string]*v1alpha1.RefTarget { + if m != nil { + return m.SyncedRefSources + } + return nil +} + type UpdateRevisionForPathsResponse struct { // Changes indicates whether any changes were detected in the provided paths. If false, it means that the manifest // cache was updated to the new revision. If true, it means that there are relevant changes in the repo files and @@ -2470,6 +2478,7 @@ func init() { proto.RegisterType((*GitDirectoriesResponse)(nil), "repository.GitDirectoriesResponse") proto.RegisterType((*UpdateRevisionForPathsRequest)(nil), "repository.UpdateRevisionForPathsRequest") proto.RegisterMapType((map[string]*v1alpha1.RefTarget)(nil), "repository.UpdateRevisionForPathsRequest.RefSourcesEntry") + proto.RegisterMapType((map[string]*v1alpha1.RefTarget)(nil), "repository.UpdateRevisionForPathsRequest.SyncedRefSourcesEntry") proto.RegisterType((*UpdateRevisionForPathsResponse)(nil), "repository.UpdateRevisionForPathsResponse") } @@ -2478,158 +2487,160 @@ func init() { } var fileDescriptor_dd8723cfcc820480 = []byte{ - // 2407 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x1a, 0xcb, 0x72, 0x1c, 0x49, - 0x71, 0x9e, 0xd2, 0x4c, 0xea, 0x5d, 0xb6, 0xe5, 0xf6, 0xd8, 0x16, 0xda, 0x06, 0x3b, 0xbc, 0xf6, - 0xee, 0x28, 0x6c, 0xc7, 0xae, 0xc1, 0xbb, 0x2c, 0xa1, 0x95, 0x6d, 0x49, 0x6b, 0xcb, 0x16, 0x6d, - 0xef, 0x12, 0x06, 0x03, 0x51, 0xd3, 0x53, 0xea, 0xe9, 0x55, 0x3f, 0xca, 0xdd, 0xd5, 0x5a, 0xe4, - 0x08, 0x2e, 0x40, 0x70, 0xe1, 0xc2, 0x69, 0x0f, 0x5c, 0xf9, 0x06, 0x82, 0x23, 0x27, 0x02, 0x8e, - 0x04, 0x17, 0x2e, 0x44, 0x40, 0xf8, 0x4b, 0x88, 0x7a, 0xf4, 0x73, 0x7a, 0x46, 0x5a, 0x8f, 0xad, - 0x05, 0x2e, 0x52, 0x57, 0x56, 0x56, 0x66, 0x56, 0x56, 0x66, 0x56, 0x66, 0xd6, 0xc0, 0xe5, 0x80, - 0x50, 0x3f, 0x24, 0xc1, 0x01, 0x09, 0xd6, 0xc4, 0xa7, 0xcd, 0xfc, 0xe0, 0x30, 0xf3, 0xd9, 0xa5, - 0x81, 0xcf, 0x7c, 0x04, 0x29, 0xa4, 0xf3, 0xc0, 0xb2, 0xd9, 0x20, 0xea, 0x75, 0x4d, 0xdf, 0x5d, - 0xc3, 0x81, 0xe5, 0xd3, 0xc0, 0xff, 0x5c, 0x7c, 0xbc, 0x6b, 0xf6, 0xd7, 0x0e, 0x6e, 0xae, 0xd1, - 0x7d, 0x6b, 0x0d, 0x53, 0x3b, 0x5c, 0xc3, 0x94, 0x3a, 0xb6, 0x89, 0x99, 0xed, 0x7b, 0x6b, 0x07, - 0xd7, 0xb1, 0x43, 0x07, 0xf8, 0xfa, 0x9a, 0x45, 0x3c, 0x12, 0x60, 0x46, 0xfa, 0x92, 0x72, 0xe7, - 0xbc, 0xe5, 0xfb, 0x96, 0x43, 0xd6, 0xc4, 0xa8, 0x17, 0xed, 0xad, 0x11, 0x97, 0x32, 0xc5, 0x56, - 0xff, 0xe7, 0x1c, 0x2c, 0xec, 0x60, 0xcf, 0xde, 0x23, 0x21, 0x33, 0xc8, 0xf3, 0x88, 0x84, 0x0c, - 0x3d, 0x83, 0x06, 0x17, 0x46, 0xab, 0xae, 0x56, 0xaf, 0xcc, 0xdc, 0xd8, 0xea, 0xa6, 0xd2, 0x74, - 0x63, 0x69, 0xc4, 0xc7, 0x4f, 0xcd, 0x7e, 0xf7, 0xe0, 0x66, 0x97, 0xee, 0x5b, 0x5d, 0x2e, 0x4d, - 0x37, 0x23, 0x4d, 0x37, 0x96, 0xa6, 0x6b, 0x24, 0xdb, 0x32, 0x04, 0x55, 0xd4, 0x81, 0x56, 0x40, - 0x0e, 0xec, 0xd0, 0xf6, 0x3d, 0xad, 0xb6, 0x5a, 0xbd, 0xd2, 0x36, 0x92, 0x31, 0xd2, 0x60, 0xda, - 0xf3, 0x37, 0xb0, 0x39, 0x20, 0x5a, 0x7d, 0xb5, 0x7a, 0xa5, 0x65, 0xc4, 0x43, 0xb4, 0x0a, 0x33, - 0x98, 0xd2, 0x07, 0xb8, 0x47, 0x9c, 0xfb, 0xe4, 0x50, 0x6b, 0x88, 0x85, 0x59, 0x10, 0x5f, 0x8b, - 0x29, 0x7d, 0x88, 0x5d, 0xa2, 0x35, 0xc5, 0x6c, 0x3c, 0x44, 0x17, 0xa0, 0xed, 0x61, 0x97, 0x84, - 0x14, 0x9b, 0x44, 0x6b, 0x89, 0xb9, 0x14, 0x80, 0x7e, 0x0e, 0x4b, 0x19, 0xc1, 0x1f, 0xfb, 0x51, - 0x60, 0x12, 0x0d, 0xc4, 0xd6, 0x1f, 0x4d, 0xb6, 0xf5, 0xf5, 0x22, 0x59, 0x63, 0x98, 0x13, 0xfa, - 0x09, 0x34, 0xc5, 0xc9, 0x6b, 0x33, 0xab, 0xf5, 0xd7, 0xaa, 0x6d, 0x49, 0x16, 0x79, 0x30, 0x4d, - 0x9d, 0xc8, 0xb2, 0xbd, 0x50, 0x9b, 0x15, 0x1c, 0x9e, 0x4c, 0xc6, 0x61, 0xc3, 0xf7, 0xf6, 0x6c, - 0x6b, 0x07, 0x7b, 0xd8, 0x22, 0x2e, 0xf1, 0xd8, 0xae, 0x20, 0x6e, 0xc4, 0x4c, 0xd0, 0x0b, 0x58, - 0xdc, 0x8f, 0x42, 0xe6, 0xbb, 0xf6, 0x0b, 0xf2, 0x88, 0xf2, 0xb5, 0xa1, 0x36, 0x27, 0xb4, 0xf9, - 0x70, 0x32, 0xc6, 0xf7, 0x0b, 0x54, 0x8d, 0x21, 0x3e, 0xdc, 0x48, 0xf6, 0xa3, 0x1e, 0xf9, 0x8c, - 0x04, 0xc2, 0xba, 0xe6, 0xa5, 0x91, 0x64, 0x40, 0xd2, 0x8c, 0x6c, 0x35, 0x0a, 0xb5, 0x85, 0xd5, - 0xba, 0x34, 0xa3, 0x04, 0x84, 0xae, 0xc0, 0xc2, 0x01, 0x09, 0xec, 0xbd, 0xc3, 0xc7, 0xb6, 0xe5, - 0x61, 0x16, 0x05, 0x44, 0x5b, 0x14, 0xa6, 0x58, 0x04, 0x23, 0x17, 0xe6, 0x06, 0xc4, 0x71, 0xb9, - 0xca, 0x37, 0x02, 0xd2, 0x0f, 0xb5, 0x25, 0xa1, 0xdf, 0xcd, 0xc9, 0x4f, 0x50, 0x90, 0x33, 0xf2, - 0xd4, 0xb9, 0x60, 0x9e, 0x6f, 0x28, 0x4f, 0x91, 0x3e, 0x82, 0xa4, 0x60, 0x05, 0x30, 0xba, 0x0c, - 0xf3, 0x2c, 0xc0, 0xe6, 0xbe, 0xed, 0x59, 0x3b, 0x84, 0x0d, 0xfc, 0xbe, 0x76, 0x4a, 0x68, 0xa2, - 0x00, 0x45, 0x26, 0x20, 0xe2, 0xe1, 0x9e, 0x43, 0xfa, 0xd2, 0x16, 0x9f, 0x1c, 0x52, 0x12, 0x6a, - 0xa7, 0xc5, 0x2e, 0x6e, 0x76, 0x33, 0x11, 0xaa, 0x10, 0x20, 0xba, 0x77, 0x87, 0x56, 0xdd, 0xf5, - 0x58, 0x70, 0x68, 0x94, 0x90, 0x43, 0xfb, 0x30, 0xc3, 0xf7, 0x11, 0x9b, 0xc2, 0x19, 0x61, 0x0a, - 0xdb, 0x93, 0xe9, 0x68, 0x2b, 0x25, 0x68, 0x64, 0xa9, 0xa3, 0x2e, 0xa0, 0x01, 0x0e, 0x77, 0x22, - 0x87, 0xd9, 0xd4, 0x21, 0x52, 0x8c, 0x50, 0x5b, 0x16, 0x6a, 0x2a, 0x99, 0x41, 0xf7, 0x01, 0x02, - 0xb2, 0x17, 0xe3, 0x9d, 0x15, 0x3b, 0xbf, 0x36, 0x6e, 0xe7, 0x46, 0x82, 0x2d, 0x77, 0x9c, 0x59, - 0xce, 0x99, 0xf3, 0x6d, 0x10, 0x93, 0x29, 0x6f, 0x17, 0x6e, 0xad, 0x09, 0x13, 0x2b, 0x99, 0xe1, - 0xb6, 0xa8, 0xa0, 0x22, 0x68, 0x9d, 0x93, 0xd6, 0x9a, 0x01, 0xa1, 0x2d, 0xf8, 0x06, 0xf6, 0x3c, - 0x9f, 0x89, 0xed, 0xc7, 0xa2, 0x6c, 0xaa, 0xf0, 0xbe, 0x8b, 0xd9, 0x20, 0xd4, 0x3a, 0x62, 0xd5, - 0x51, 0x68, 0xdc, 0x24, 0x6c, 0x2f, 0x64, 0xd8, 0x71, 0x04, 0xd2, 0xf6, 0x1d, 0xed, 0xbc, 0x34, - 0x89, 0x3c, 0xb4, 0x73, 0x17, 0xce, 0x8e, 0x38, 0x5c, 0xb4, 0x08, 0xf5, 0x7d, 0x72, 0x28, 0x2e, - 0x85, 0xb6, 0xc1, 0x3f, 0xd1, 0x69, 0x68, 0x1e, 0x60, 0x27, 0x22, 0x22, 0x8c, 0xb7, 0x0c, 0x39, - 0xb8, 0x5d, 0xfb, 0x76, 0xb5, 0xf3, 0xeb, 0x2a, 0x2c, 0x14, 0x54, 0x55, 0xb2, 0xfe, 0xc7, 0xd9, - 0xf5, 0xaf, 0xc1, 0x71, 0xf6, 0x9e, 0xe0, 0xc0, 0x22, 0x2c, 0x23, 0x88, 0xfe, 0xf7, 0x2a, 0x68, - 0x85, 0x33, 0xfc, 0x81, 0xcd, 0x06, 0xf7, 0x6c, 0x87, 0x84, 0xe8, 0x16, 0x4c, 0x07, 0x12, 0xa6, - 0xae, 0xba, 0xf3, 0x63, 0x8e, 0x7e, 0xab, 0x62, 0xc4, 0xd8, 0xe8, 0x23, 0x68, 0xb9, 0x84, 0xe1, - 0x3e, 0x66, 0x58, 0xc9, 0xbe, 0x5a, 0xb6, 0x92, 0x73, 0xd9, 0x51, 0x78, 0x5b, 0x15, 0x23, 0x59, - 0x83, 0xde, 0x83, 0xa6, 0x39, 0x88, 0xbc, 0x7d, 0x71, 0xc9, 0xcd, 0xdc, 0xb8, 0x38, 0x6a, 0xf1, - 0x06, 0x47, 0xda, 0xaa, 0x18, 0x12, 0xfb, 0xe3, 0x29, 0x68, 0x50, 0x1c, 0x30, 0xfd, 0x1e, 0x9c, - 0x2e, 0x63, 0xc1, 0x6f, 0x56, 0x73, 0x40, 0xcc, 0xfd, 0x30, 0x72, 0x95, 0x9a, 0x93, 0x31, 0x42, - 0xd0, 0x08, 0xed, 0x17, 0x52, 0xd5, 0x75, 0x43, 0x7c, 0xeb, 0x6f, 0xc3, 0xd2, 0x10, 0x37, 0x7e, - 0xa8, 0x52, 0x36, 0x4e, 0x61, 0x56, 0xb1, 0xd6, 0x23, 0x38, 0xf3, 0x44, 0xe8, 0x22, 0xb9, 0x5e, - 0x4e, 0x22, 0x57, 0xd0, 0xb7, 0x60, 0xb9, 0xc8, 0x36, 0xa4, 0xbe, 0x17, 0x12, 0xee, 0x6c, 0x22, - 0x1e, 0xdb, 0xa4, 0x9f, 0xce, 0x0a, 0x29, 0x5a, 0x46, 0xc9, 0x8c, 0xfe, 0xfb, 0x1a, 0x2c, 0x1b, - 0x24, 0xf4, 0x9d, 0x03, 0x12, 0x07, 0xcb, 0x93, 0x49, 0x77, 0x7e, 0x04, 0x75, 0x4c, 0xa9, 0x32, - 0x93, 0xed, 0xd7, 0x96, 0x50, 0x18, 0x9c, 0x2a, 0x7a, 0x07, 0x96, 0xb0, 0xdb, 0xb3, 0xad, 0xc8, - 0x8f, 0xc2, 0x78, 0x5b, 0xc2, 0xa8, 0xda, 0xc6, 0xf0, 0x04, 0x0f, 0x38, 0xa1, 0xf0, 0xc8, 0x6d, - 0xaf, 0x4f, 0x7e, 0x26, 0x72, 0xa8, 0xba, 0x91, 0x05, 0xe9, 0x26, 0x9c, 0x1d, 0x52, 0x92, 0x52, - 0x78, 0x36, 0x6d, 0xab, 0x16, 0xd2, 0xb6, 0x52, 0x31, 0x6a, 0x23, 0xc4, 0xd0, 0x5f, 0x56, 0x61, - 0x31, 0x75, 0x2e, 0x45, 0xfe, 0x02, 0xb4, 0x5d, 0x05, 0x0b, 0xb5, 0xaa, 0x88, 0x99, 0x29, 0x20, - 0x9f, 0xc1, 0xd5, 0x8a, 0x19, 0xdc, 0x32, 0x4c, 0xc9, 0x04, 0x5b, 0x6d, 0x5d, 0x8d, 0x72, 0x22, - 0x37, 0x0a, 0x22, 0xaf, 0x00, 0x84, 0x49, 0x84, 0xd3, 0xa6, 0xc4, 0x6c, 0x06, 0x82, 0x74, 0x98, - 0x95, 0xf7, 0xbd, 0x41, 0xc2, 0xc8, 0x61, 0xda, 0xb4, 0xc0, 0xc8, 0xc1, 0x84, 0xbf, 0xf9, 0xae, - 0x8b, 0xbd, 0x7e, 0xa8, 0xb5, 0x84, 0xc8, 0xc9, 0x58, 0xf7, 0x61, 0xe1, 0x81, 0xcd, 0xf7, 0xb7, - 0x17, 0x9e, 0x8c, 0xab, 0xbc, 0x0f, 0x0d, 0xce, 0x8c, 0x0b, 0xd5, 0x0b, 0xb0, 0x67, 0x0e, 0x48, - 0xac, 0xc7, 0x64, 0xcc, 0x83, 0x00, 0xc3, 0x56, 0xa8, 0xd5, 0x04, 0x5c, 0x7c, 0xeb, 0x7f, 0xac, - 0x49, 0x49, 0xd7, 0x29, 0x0d, 0xbf, 0xfe, 0x02, 0xa0, 0x3c, 0x25, 0xa9, 0x0f, 0xa7, 0x24, 0x05, - 0x91, 0xbf, 0x4a, 0x4a, 0xf2, 0x9a, 0x2e, 0x39, 0x3d, 0x82, 0xe9, 0x75, 0x4a, 0xb9, 0x20, 0xe8, - 0x3a, 0x34, 0x30, 0xa5, 0x52, 0xe1, 0x85, 0x78, 0xae, 0x50, 0xf8, 0x7f, 0x25, 0x92, 0x40, 0xed, - 0xdc, 0x82, 0x76, 0x02, 0x3a, 0x8a, 0x6d, 0x3b, 0xcb, 0x76, 0x15, 0x40, 0xe6, 0xdc, 0xdb, 0xde, - 0x9e, 0xcf, 0x8f, 0x94, 0x3b, 0x82, 0x5a, 0x2a, 0xbe, 0xf5, 0xdb, 0x31, 0x86, 0x90, 0xed, 0x1d, - 0x68, 0xda, 0x8c, 0xb8, 0xb1, 0x70, 0xcb, 0x59, 0xe1, 0x52, 0x42, 0x86, 0x44, 0xd2, 0xff, 0xd2, - 0x82, 0x73, 0xfc, 0xc4, 0x1e, 0x0b, 0x17, 0x5a, 0xa7, 0xf4, 0x0e, 0x61, 0xd8, 0x76, 0xc2, 0xef, - 0x47, 0x24, 0x38, 0x7c, 0xc3, 0x86, 0x61, 0xc1, 0x94, 0xf4, 0x40, 0x15, 0x2d, 0x5f, 0x7b, 0xf9, - 0xa5, 0xc8, 0xa7, 0x35, 0x57, 0xfd, 0xcd, 0xd4, 0x5c, 0x65, 0x35, 0x50, 0xe3, 0x84, 0x6a, 0xa0, - 0xd1, 0x65, 0x70, 0xa6, 0xb8, 0x9e, 0xca, 0x17, 0xd7, 0x25, 0xa5, 0xc5, 0xf4, 0x71, 0x4b, 0x8b, - 0x56, 0x69, 0x69, 0xe1, 0x96, 0xfa, 0x71, 0x5b, 0xa8, 0xfb, 0xbb, 0x59, 0x0b, 0x1c, 0x69, 0x6b, - 0x93, 0x14, 0x19, 0xf0, 0x46, 0x8b, 0x8c, 0x4f, 0x73, 0x45, 0x83, 0x2c, 0xdb, 0xdf, 0x3b, 0xde, - 0x9e, 0xc6, 0x94, 0x0f, 0xff, 0x77, 0xa9, 0xf7, 0xaf, 0x44, 0xc6, 0x45, 0xfd, 0x54, 0x07, 0xc9, - 0x65, 0xcf, 0xef, 0x21, 0x7e, 0xed, 0xaa, 0xa0, 0xc5, 0xbf, 0xd1, 0x35, 0x68, 0x70, 0x25, 0xab, - 0x94, 0xf8, 0x6c, 0x56, 0x9f, 0xfc, 0x24, 0xd6, 0x29, 0x7d, 0x4c, 0x89, 0x69, 0x08, 0x24, 0x74, - 0x1b, 0xda, 0x89, 0xe1, 0x2b, 0xcf, 0xba, 0x90, 0x5d, 0x91, 0xf8, 0x49, 0xbc, 0x2c, 0x45, 0xe7, - 0x6b, 0xfb, 0x76, 0x40, 0x4c, 0x91, 0x30, 0x36, 0x87, 0xd7, 0xde, 0x89, 0x27, 0x93, 0xb5, 0x09, - 0x3a, 0xba, 0x0e, 0x53, 0xb2, 0xcf, 0x21, 0x3c, 0x68, 0xe6, 0xc6, 0xb9, 0xe1, 0x60, 0x1a, 0xaf, - 0x52, 0x88, 0xfa, 0x9f, 0xab, 0xf0, 0x56, 0x6a, 0x10, 0xb1, 0x37, 0xc5, 0x39, 0xfb, 0xd7, 0x7f, - 0xe3, 0x5e, 0x86, 0x79, 0x51, 0x24, 0xa4, 0xed, 0x0e, 0xd9, 0x79, 0x2b, 0x40, 0xf5, 0x3f, 0x54, - 0xe1, 0xd2, 0xf0, 0x3e, 0x36, 0x06, 0x38, 0x60, 0xc9, 0xf1, 0x9e, 0xc4, 0x5e, 0xe2, 0x0b, 0xaf, - 0x96, 0x5e, 0x78, 0xb9, 0xfd, 0xd5, 0xf3, 0xfb, 0xd3, 0xff, 0x54, 0x83, 0x99, 0x8c, 0x01, 0x95, - 0x5d, 0x98, 0x3c, 0x19, 0x14, 0x76, 0x2b, 0xca, 0x42, 0x71, 0x29, 0xb4, 0x8d, 0x0c, 0x04, 0xed, - 0x03, 0x50, 0x1c, 0x60, 0x97, 0x30, 0x12, 0xf0, 0x48, 0xce, 0x3d, 0xfe, 0xfe, 0xe4, 0xd1, 0x65, - 0x37, 0xa6, 0x69, 0x64, 0xc8, 0xf3, 0x6c, 0x56, 0xb0, 0x0e, 0x55, 0xfc, 0x56, 0x23, 0xf4, 0x05, - 0xcc, 0xef, 0xd9, 0x0e, 0xd9, 0x4d, 0x05, 0x99, 0x12, 0x82, 0x3c, 0x9a, 0x5c, 0x90, 0x7b, 0x59, - 0xba, 0x46, 0x81, 0x8d, 0x7e, 0x15, 0x16, 0x8b, 0xfe, 0xc4, 0x85, 0xb4, 0x5d, 0x6c, 0x25, 0xda, - 0x52, 0x23, 0x1d, 0xc1, 0x62, 0xd1, 0x7f, 0xf4, 0x7f, 0xd5, 0xe0, 0x4c, 0x42, 0x6e, 0xdd, 0xf3, - 0xfc, 0xc8, 0x33, 0x45, 0xeb, 0xb0, 0xf4, 0x2c, 0x4e, 0x43, 0x93, 0xd9, 0xcc, 0x49, 0x12, 0x1f, - 0x31, 0xe0, 0x77, 0x17, 0xf3, 0x7d, 0x87, 0xd9, 0x54, 0x1d, 0x70, 0x3c, 0x94, 0x67, 0xff, 0x3c, - 0xb2, 0x03, 0xd2, 0x17, 0x91, 0xa0, 0x65, 0x24, 0x63, 0x3e, 0xc7, 0xb3, 0x1a, 0x91, 0xe2, 0x4b, - 0x65, 0x26, 0x63, 0x61, 0xf7, 0xbe, 0xe3, 0x10, 0x93, 0xab, 0x23, 0x53, 0x04, 0x14, 0xa0, 0xa2, - 0xb8, 0x60, 0x81, 0xed, 0x59, 0xaa, 0x04, 0x50, 0x23, 0x2e, 0x27, 0x0e, 0x02, 0x7c, 0xa8, 0x32, - 0x7f, 0x39, 0x40, 0x1f, 0x42, 0xdd, 0xc5, 0x54, 0x5d, 0x74, 0x57, 0x73, 0xd1, 0xa1, 0x4c, 0x03, - 0xdd, 0x1d, 0x4c, 0xe5, 0x4d, 0xc0, 0x97, 0x75, 0xde, 0x87, 0x56, 0x0c, 0xf8, 0x4a, 0x29, 0xe1, - 0xe7, 0x30, 0x97, 0x0b, 0x3e, 0xe8, 0x29, 0x2c, 0xa7, 0x16, 0x95, 0x65, 0xa8, 0x92, 0xc0, 0xb7, - 0x8e, 0x94, 0xcc, 0x18, 0x41, 0x40, 0x7f, 0x0e, 0x4b, 0xdc, 0x64, 0x84, 0xe3, 0x9f, 0x50, 0x69, - 0xf3, 0x01, 0xb4, 0x13, 0x96, 0xa5, 0x36, 0xd3, 0x81, 0xd6, 0x41, 0xdc, 0xd2, 0x95, 0xb5, 0x4d, - 0x32, 0xd6, 0xd7, 0x01, 0x65, 0xe5, 0x55, 0x37, 0xd0, 0xb5, 0x7c, 0x52, 0x7c, 0xa6, 0x78, 0xdd, - 0x08, 0xf4, 0x38, 0x27, 0xfe, 0x47, 0x0d, 0x16, 0x36, 0x6d, 0xd1, 0x23, 0x39, 0xa1, 0x20, 0x77, - 0x15, 0x16, 0xc3, 0xa8, 0xe7, 0xfa, 0xfd, 0xc8, 0x21, 0x2a, 0x29, 0x50, 0x37, 0xfd, 0x10, 0x7c, - 0x5c, 0xf0, 0xe3, 0xca, 0xa2, 0x98, 0x0d, 0x54, 0xf5, 0x2b, 0xbe, 0xd1, 0x87, 0x70, 0xee, 0x21, - 0xf9, 0x42, 0xed, 0x67, 0xd3, 0xf1, 0x7b, 0x3d, 0xdb, 0xb3, 0x62, 0x26, 0x4d, 0xc1, 0x64, 0x34, - 0x42, 0x59, 0xaa, 0x38, 0x55, 0x9e, 0x2a, 0x26, 0x15, 0xf4, 0x86, 0xef, 0xba, 0x36, 0x53, 0x19, - 0x65, 0x0e, 0xa6, 0xff, 0xb2, 0x0a, 0x8b, 0xa9, 0x66, 0xd5, 0xd9, 0xdc, 0x92, 0x3e, 0x24, 0x4f, - 0xe6, 0x52, 0xf6, 0x64, 0x8a, 0xa8, 0xaf, 0xee, 0x3e, 0xb3, 0x59, 0xf7, 0xf9, 0x4d, 0x0d, 0xce, - 0x6c, 0xda, 0x2c, 0x0e, 0x5c, 0xf6, 0xff, 0xda, 0x29, 0x97, 0x9c, 0x49, 0xe3, 0x78, 0x67, 0xd2, - 0x2c, 0x39, 0x93, 0x2e, 0x2c, 0x17, 0x95, 0xa1, 0x0e, 0xe6, 0x34, 0x34, 0xa9, 0x68, 0x3a, 0xcb, - 0xbe, 0x82, 0x1c, 0xe8, 0xbf, 0x98, 0x86, 0x8b, 0x9f, 0xd2, 0x3e, 0x66, 0x49, 0xcf, 0xe8, 0x9e, - 0x1f, 0x88, 0xae, 0xf3, 0xc9, 0x68, 0xb1, 0xf0, 0x32, 0x58, 0x1b, 0xfb, 0x32, 0x58, 0x1f, 0xf3, - 0x32, 0xd8, 0x38, 0xd6, 0xcb, 0x60, 0xf3, 0xc4, 0x5e, 0x06, 0x87, 0x6b, 0xad, 0xa9, 0xd2, 0x5a, - 0xeb, 0x69, 0xae, 0x1e, 0x99, 0x16, 0x6e, 0xf3, 0x9d, 0xac, 0xdb, 0x8c, 0x3d, 0x9d, 0xb1, 0x4f, - 0x1a, 0x85, 0x07, 0xb5, 0xd6, 0x91, 0x0f, 0x6a, 0xed, 0xe1, 0x07, 0xb5, 0xf2, 0x37, 0x19, 0x18, - 0xf9, 0x26, 0x73, 0x19, 0xe6, 0xc3, 0x43, 0xcf, 0x24, 0xfd, 0xa4, 0x93, 0x38, 0x23, 0xb7, 0x9d, - 0x87, 0xe6, 0x3c, 0x62, 0xb6, 0xe0, 0x11, 0x89, 0xa5, 0xce, 0x65, 0x2c, 0xb5, 0xcc, 0x4f, 0xe6, - 0x47, 0x96, 0xb9, 0x85, 0xe7, 0x92, 0x85, 0xd2, 0xe7, 0x92, 0xff, 0x9a, 0x62, 0xeb, 0x33, 0x58, - 0x19, 0x75, 0xca, 0xca, 0x79, 0x35, 0x98, 0x36, 0x07, 0xd8, 0xb3, 0x44, 0x5b, 0x50, 0x54, 0xff, - 0x6a, 0x38, 0xae, 0x3a, 0xb8, 0xf1, 0xe5, 0x2c, 0x2c, 0xa5, 0x59, 0x3f, 0xff, 0x6b, 0x9b, 0x04, - 0x3d, 0x82, 0xc5, 0xf8, 0x79, 0x29, 0x6e, 0xe4, 0xa2, 0x71, 0x6f, 0x27, 0x9d, 0x0b, 0xe5, 0x93, - 0x52, 0x34, 0xbd, 0x82, 0x4c, 0x38, 0x57, 0x24, 0x98, 0x3e, 0xd3, 0x7c, 0x6b, 0x0c, 0xe5, 0x04, - 0xeb, 0x28, 0x16, 0x57, 0xaa, 0xe8, 0x29, 0xcc, 0xe7, 0x1f, 0x13, 0x50, 0x2e, 0x0d, 0x2a, 0x7d, - 0xdf, 0xe8, 0xe8, 0xe3, 0x50, 0x12, 0xf9, 0x9f, 0x71, 0x33, 0xc8, 0xf5, 0xcd, 0x91, 0x9e, 0xef, - 0x08, 0x94, 0xbd, 0x3c, 0x74, 0xbe, 0x39, 0x16, 0x27, 0xa1, 0xfe, 0x01, 0xb4, 0xe2, 0x5e, 0x72, - 0x5e, 0xcd, 0x85, 0x0e, 0x73, 0x67, 0x31, 0x4f, 0x6f, 0x2f, 0xd4, 0x2b, 0xe8, 0x23, 0x98, 0xe1, - 0x68, 0x8f, 0x36, 0xb6, 0x9f, 0x60, 0xeb, 0x95, 0xd6, 0xb7, 0xe2, 0x5e, 0xeb, 0xf0, 0xe2, 0x4c, - 0x07, 0xb6, 0x73, 0xaa, 0xa4, 0xeb, 0xa9, 0x57, 0xd0, 0xf7, 0x24, 0xff, 0x5d, 0xf5, 0xf3, 0x80, - 0xe5, 0xae, 0xfc, 0x35, 0x4a, 0x37, 0xfe, 0x35, 0x4a, 0xf7, 0xae, 0x4b, 0xd9, 0x61, 0xa7, 0xa4, - 0x2d, 0xa9, 0x08, 0x3c, 0x83, 0xb9, 0x4d, 0xc2, 0xd2, 0x2e, 0x02, 0xba, 0x74, 0xac, 0x5e, 0x4b, - 0x47, 0x2f, 0xa2, 0x0d, 0x37, 0x22, 0xf4, 0x0a, 0xfa, 0xb2, 0x0a, 0xa7, 0x36, 0x09, 0x2b, 0xd6, - 0xe5, 0xe8, 0xdd, 0x72, 0x26, 0x23, 0xea, 0xf7, 0xce, 0xc3, 0x49, 0x7d, 0x3a, 0x4f, 0x56, 0xaf, - 0xa0, 0xdf, 0x56, 0x61, 0x7e, 0x93, 0xf0, 0x73, 0x4b, 0x64, 0xba, 0x3e, 0x5e, 0xa6, 0x92, 0x5a, - 0xbc, 0x33, 0x61, 0x0f, 0x2c, 0xc3, 0x5d, 0xaf, 0xa0, 0xdf, 0x55, 0xe1, 0x6c, 0x46, 0x57, 0x59, - 0x7e, 0xaf, 0x22, 0xdb, 0x27, 0x13, 0xfe, 0x10, 0x25, 0x43, 0x52, 0xaf, 0xa0, 0x5d, 0x61, 0x26, - 0x69, 0xaa, 0x8f, 0x2e, 0x96, 0xe6, 0xf4, 0x09, 0xf7, 0x95, 0x51, 0xd3, 0x89, 0x69, 0x7c, 0x02, - 0x33, 0x9b, 0x84, 0xc5, 0x39, 0x67, 0xde, 0xf8, 0x0b, 0xe5, 0x40, 0x3e, 0xfa, 0x14, 0xd3, 0x54, - 0x61, 0xc4, 0x4b, 0x92, 0x56, 0x26, 0xaf, 0xca, 0x87, 0x9f, 0xd2, 0x04, 0x34, 0x6f, 0xc4, 0xe5, - 0x69, 0x99, 0x5e, 0x41, 0xcf, 0x61, 0xb9, 0x3c, 0xfa, 0xa3, 0xb7, 0x8f, 0x9d, 0x07, 0x74, 0xae, - 0x1e, 0x07, 0x35, 0x66, 0xf9, 0xf1, 0xfa, 0x5f, 0x5f, 0xae, 0x54, 0xff, 0xf6, 0x72, 0xa5, 0xfa, - 0xef, 0x97, 0x2b, 0xd5, 0x1f, 0xde, 0x3c, 0xe2, 0x07, 0x6b, 0x99, 0xdf, 0xc0, 0x61, 0x6a, 0x9b, - 0x8e, 0x4d, 0x3c, 0xd6, 0x9b, 0x12, 0x21, 0xe0, 0xe6, 0x7f, 0x02, 0x00, 0x00, 0xff, 0xff, 0xc9, - 0x9b, 0xb9, 0x62, 0x22, 0x27, 0x00, 0x00, + // 2441 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x1a, 0x4d, 0x73, 0x1c, 0x47, + 0x55, 0xfb, 0x25, 0xed, 0x3e, 0x7d, 0xad, 0xda, 0x96, 0x3c, 0x5e, 0xdb, 0x42, 0x19, 0xb0, 0xcb, + 0xb1, 0x93, 0x55, 0xd9, 0xae, 0xc4, 0xe0, 0x84, 0xa4, 0x14, 0xd9, 0x96, 0x14, 0x5b, 0xb6, 0x18, + 0x3b, 0xa1, 0x0c, 0x06, 0xaa, 0x77, 0xb6, 0xb5, 0x3b, 0xd9, 0xf9, 0x68, 0xcf, 0xf4, 0x28, 0xc8, + 0x55, 0x9c, 0xa0, 0xb8, 0xc0, 0x81, 0x53, 0x0e, 0x5c, 0xf9, 0x0d, 0x14, 0x47, 0x4e, 0x14, 0x1c, + 0x29, 0x2e, 0x5c, 0xa8, 0x82, 0xf2, 0x0f, 0xa1, 0xa8, 0xfe, 0x98, 0xcf, 0x9d, 0x5d, 0x29, 0x5e, + 0x5b, 0x06, 0x2e, 0xd2, 0x74, 0xf7, 0xeb, 0xf7, 0x5e, 0xbf, 0xaf, 0x7e, 0xef, 0xf5, 0xc2, 0x25, + 0x9f, 0x50, 0x2f, 0x20, 0xfe, 0x01, 0xf1, 0xd7, 0xc5, 0xa7, 0xc5, 0x3c, 0xff, 0x30, 0xf5, 0xd9, + 0xa6, 0xbe, 0xc7, 0x3c, 0x04, 0xc9, 0x4c, 0xeb, 0x7e, 0xcf, 0x62, 0xfd, 0xb0, 0xd3, 0x36, 0x3d, + 0x67, 0x1d, 0xfb, 0x3d, 0x8f, 0xfa, 0xde, 0x17, 0xe2, 0xe3, 0x5d, 0xb3, 0xbb, 0x7e, 0x70, 0x63, + 0x9d, 0x0e, 0x7a, 0xeb, 0x98, 0x5a, 0xc1, 0x3a, 0xa6, 0xd4, 0xb6, 0x4c, 0xcc, 0x2c, 0xcf, 0x5d, + 0x3f, 0xb8, 0x86, 0x6d, 0xda, 0xc7, 0xd7, 0xd6, 0x7b, 0xc4, 0x25, 0x3e, 0x66, 0xa4, 0x2b, 0x31, + 0xb7, 0xce, 0xf5, 0x3c, 0xaf, 0x67, 0x93, 0x75, 0x31, 0xea, 0x84, 0xfb, 0xeb, 0xc4, 0xa1, 0x4c, + 0x91, 0xd5, 0xff, 0x31, 0x0f, 0x8b, 0xbb, 0xd8, 0xb5, 0xf6, 0x49, 0xc0, 0x0c, 0xf2, 0x2c, 0x24, + 0x01, 0x43, 0x4f, 0xa1, 0xca, 0x99, 0xd1, 0x4a, 0x6b, 0xa5, 0xcb, 0xb3, 0xd7, 0xb7, 0xdb, 0x09, + 0x37, 0xed, 0x88, 0x1b, 0xf1, 0xf1, 0x13, 0xb3, 0xdb, 0x3e, 0xb8, 0xd1, 0xa6, 0x83, 0x5e, 0x9b, + 0x73, 0xd3, 0x4e, 0x71, 0xd3, 0x8e, 0xb8, 0x69, 0x1b, 0xf1, 0xb1, 0x0c, 0x81, 0x15, 0xb5, 0xa0, + 0xee, 0x93, 0x03, 0x2b, 0xb0, 0x3c, 0x57, 0x2b, 0xaf, 0x95, 0x2e, 0x37, 0x8c, 0x78, 0x8c, 0x34, + 0x98, 0x71, 0xbd, 0x4d, 0x6c, 0xf6, 0x89, 0x56, 0x59, 0x2b, 0x5d, 0xae, 0x1b, 0xd1, 0x10, 0xad, + 0xc1, 0x2c, 0xa6, 0xf4, 0x3e, 0xee, 0x10, 0xfb, 0x1e, 0x39, 0xd4, 0xaa, 0x62, 0x63, 0x7a, 0x8a, + 0xef, 0xc5, 0x94, 0x3e, 0xc0, 0x0e, 0xd1, 0x6a, 0x62, 0x35, 0x1a, 0xa2, 0xf3, 0xd0, 0x70, 0xb1, + 0x43, 0x02, 0x8a, 0x4d, 0xa2, 0xd5, 0xc5, 0x5a, 0x32, 0x81, 0x7e, 0x06, 0x4b, 0x29, 0xc6, 0x1f, + 0x79, 0xa1, 0x6f, 0x12, 0x0d, 0xc4, 0xd1, 0x1f, 0x4e, 0x76, 0xf4, 0x8d, 0x3c, 0x5a, 0x63, 0x98, + 0x12, 0xfa, 0x31, 0xd4, 0x84, 0xe6, 0xb5, 0xd9, 0xb5, 0xca, 0x2b, 0x95, 0xb6, 0x44, 0x8b, 0x5c, + 0x98, 0xa1, 0x76, 0xd8, 0xb3, 0xdc, 0x40, 0x9b, 0x13, 0x14, 0x1e, 0x4f, 0x46, 0x61, 0xd3, 0x73, + 0xf7, 0xad, 0xde, 0x2e, 0x76, 0x71, 0x8f, 0x38, 0xc4, 0x65, 0x7b, 0x02, 0xb9, 0x11, 0x11, 0x41, + 0xcf, 0xa1, 0x39, 0x08, 0x03, 0xe6, 0x39, 0xd6, 0x73, 0xf2, 0x90, 0xf2, 0xbd, 0x81, 0x36, 0x2f, + 0xa4, 0xf9, 0x60, 0x32, 0xc2, 0xf7, 0x72, 0x58, 0x8d, 0x21, 0x3a, 0xdc, 0x48, 0x06, 0x61, 0x87, + 0x7c, 0x4e, 0x7c, 0x61, 0x5d, 0x0b, 0xd2, 0x48, 0x52, 0x53, 0xd2, 0x8c, 0x2c, 0x35, 0x0a, 0xb4, + 0xc5, 0xb5, 0x8a, 0x34, 0xa3, 0x78, 0x0a, 0x5d, 0x86, 0xc5, 0x03, 0xe2, 0x5b, 0xfb, 0x87, 0x8f, + 0xac, 0x9e, 0x8b, 0x59, 0xe8, 0x13, 0xad, 0x29, 0x4c, 0x31, 0x3f, 0x8d, 0x1c, 0x98, 0xef, 0x13, + 0xdb, 0xe1, 0x22, 0xdf, 0xf4, 0x49, 0x37, 0xd0, 0x96, 0x84, 0x7c, 0xb7, 0x26, 0xd7, 0xa0, 0x40, + 0x67, 0x64, 0xb1, 0x73, 0xc6, 0x5c, 0xcf, 0x50, 0x9e, 0x22, 0x7d, 0x04, 0x49, 0xc6, 0x72, 0xd3, + 0xe8, 0x12, 0x2c, 0x30, 0x1f, 0x9b, 0x03, 0xcb, 0xed, 0xed, 0x12, 0xd6, 0xf7, 0xba, 0xda, 0x29, + 0x21, 0x89, 0xdc, 0x2c, 0x32, 0x01, 0x11, 0x17, 0x77, 0x6c, 0xd2, 0x95, 0xb6, 0xf8, 0xf8, 0x90, + 0x92, 0x40, 0x3b, 0x2d, 0x4e, 0x71, 0xa3, 0x9d, 0x8a, 0x50, 0xb9, 0x00, 0xd1, 0xbe, 0x33, 0xb4, + 0xeb, 0x8e, 0xcb, 0xfc, 0x43, 0xa3, 0x00, 0x1d, 0x1a, 0xc0, 0x2c, 0x3f, 0x47, 0x64, 0x0a, 0xcb, + 0xc2, 0x14, 0x76, 0x26, 0x93, 0xd1, 0x76, 0x82, 0xd0, 0x48, 0x63, 0x47, 0x6d, 0x40, 0x7d, 0x1c, + 0xec, 0x86, 0x36, 0xb3, 0xa8, 0x4d, 0x24, 0x1b, 0x81, 0xb6, 0x22, 0xc4, 0x54, 0xb0, 0x82, 0xee, + 0x01, 0xf8, 0x64, 0x3f, 0x82, 0x3b, 0x23, 0x4e, 0x7e, 0x75, 0xdc, 0xc9, 0x8d, 0x18, 0x5a, 0x9e, + 0x38, 0xb5, 0x9d, 0x13, 0xe7, 0xc7, 0x20, 0x26, 0x53, 0xde, 0x2e, 0xdc, 0x5a, 0x13, 0x26, 0x56, + 0xb0, 0xc2, 0x6d, 0x51, 0xcd, 0x8a, 0xa0, 0x75, 0x56, 0x5a, 0x6b, 0x6a, 0x0a, 0x6d, 0xc3, 0x37, + 0xb0, 0xeb, 0x7a, 0x4c, 0x1c, 0x3f, 0x62, 0x65, 0x4b, 0x85, 0xf7, 0x3d, 0xcc, 0xfa, 0x81, 0xd6, + 0x12, 0xbb, 0x8e, 0x02, 0xe3, 0x26, 0x61, 0xb9, 0x01, 0xc3, 0xb6, 0x2d, 0x80, 0x76, 0x6e, 0x6b, + 0xe7, 0xa4, 0x49, 0x64, 0x67, 0x5b, 0x77, 0xe0, 0xcc, 0x08, 0xe5, 0xa2, 0x26, 0x54, 0x06, 0xe4, + 0x50, 0x5c, 0x0a, 0x0d, 0x83, 0x7f, 0xa2, 0xd3, 0x50, 0x3b, 0xc0, 0x76, 0x48, 0x44, 0x18, 0xaf, + 0x1b, 0x72, 0x70, 0xab, 0xfc, 0xed, 0x52, 0xeb, 0x97, 0x25, 0x58, 0xcc, 0x89, 0xaa, 0x60, 0xff, + 0x8f, 0xd2, 0xfb, 0x5f, 0x81, 0xe3, 0xec, 0x3f, 0xc6, 0x7e, 0x8f, 0xb0, 0x14, 0x23, 0xfa, 0xdf, + 0x4a, 0xa0, 0xe5, 0x74, 0xf8, 0x7d, 0x8b, 0xf5, 0xef, 0x5a, 0x36, 0x09, 0xd0, 0x4d, 0x98, 0xf1, + 0xe5, 0x9c, 0xba, 0xea, 0xce, 0x8d, 0x51, 0xfd, 0xf6, 0x94, 0x11, 0x41, 0xa3, 0x8f, 0xa0, 0xee, + 0x10, 0x86, 0xbb, 0x98, 0x61, 0xc5, 0xfb, 0x5a, 0xd1, 0x4e, 0x4e, 0x65, 0x57, 0xc1, 0x6d, 0x4f, + 0x19, 0xf1, 0x1e, 0xf4, 0x1e, 0xd4, 0xcc, 0x7e, 0xe8, 0x0e, 0xc4, 0x25, 0x37, 0x7b, 0xfd, 0xc2, + 0xa8, 0xcd, 0x9b, 0x1c, 0x68, 0x7b, 0xca, 0x90, 0xd0, 0x9f, 0x4c, 0x43, 0x95, 0x62, 0x9f, 0xe9, + 0x77, 0xe1, 0x74, 0x11, 0x09, 0x7e, 0xb3, 0x9a, 0x7d, 0x62, 0x0e, 0x82, 0xd0, 0x51, 0x62, 0x8e, + 0xc7, 0x08, 0x41, 0x35, 0xb0, 0x9e, 0x4b, 0x51, 0x57, 0x0c, 0xf1, 0xad, 0xbf, 0x0d, 0x4b, 0x43, + 0xd4, 0xb8, 0x52, 0x25, 0x6f, 0x1c, 0xc3, 0x9c, 0x22, 0xad, 0x87, 0xb0, 0xfc, 0x58, 0xc8, 0x22, + 0xbe, 0x5e, 0x4e, 0x22, 0x57, 0xd0, 0xb7, 0x61, 0x25, 0x4f, 0x36, 0xa0, 0x9e, 0x1b, 0x10, 0xee, + 0x6c, 0x22, 0x1e, 0x5b, 0xa4, 0x9b, 0xac, 0x0a, 0x2e, 0xea, 0x46, 0xc1, 0x8a, 0xfe, 0xbb, 0x32, + 0xac, 0x18, 0x24, 0xf0, 0xec, 0x03, 0x12, 0x05, 0xcb, 0x93, 0x49, 0x77, 0x7e, 0x08, 0x15, 0x4c, + 0xa9, 0x32, 0x93, 0x9d, 0x57, 0x96, 0x50, 0x18, 0x1c, 0x2b, 0x7a, 0x07, 0x96, 0xb0, 0xd3, 0xb1, + 0x7a, 0xa1, 0x17, 0x06, 0xd1, 0xb1, 0x84, 0x51, 0x35, 0x8c, 0xe1, 0x05, 0x1e, 0x70, 0x02, 0xe1, + 0x91, 0x3b, 0x6e, 0x97, 0xfc, 0x54, 0xe4, 0x50, 0x15, 0x23, 0x3d, 0xa5, 0x9b, 0x70, 0x66, 0x48, + 0x48, 0x4a, 0xe0, 0xe9, 0xb4, 0xad, 0x94, 0x4b, 0xdb, 0x0a, 0xd9, 0x28, 0x8f, 0x60, 0x43, 0x7f, + 0x51, 0x82, 0x66, 0xe2, 0x5c, 0x0a, 0xfd, 0x79, 0x68, 0x38, 0x6a, 0x2e, 0xd0, 0x4a, 0x22, 0x66, + 0x26, 0x13, 0xd9, 0x0c, 0xae, 0x9c, 0xcf, 0xe0, 0x56, 0x60, 0x5a, 0x26, 0xd8, 0xea, 0xe8, 0x6a, + 0x94, 0x61, 0xb9, 0x9a, 0x63, 0x79, 0x15, 0x20, 0x88, 0x23, 0x9c, 0x36, 0x2d, 0x56, 0x53, 0x33, + 0x48, 0x87, 0x39, 0x79, 0xdf, 0x1b, 0x24, 0x08, 0x6d, 0xa6, 0xcd, 0x08, 0x88, 0xcc, 0x9c, 0xf0, + 0x37, 0xcf, 0x71, 0xb0, 0xdb, 0x0d, 0xb4, 0xba, 0x60, 0x39, 0x1e, 0xeb, 0x1e, 0x2c, 0xde, 0xb7, + 0xf8, 0xf9, 0xf6, 0x83, 0x93, 0x71, 0x95, 0xf7, 0xa1, 0xca, 0x89, 0x71, 0xa6, 0x3a, 0x3e, 0x76, + 0xcd, 0x3e, 0x89, 0xe4, 0x18, 0x8f, 0x79, 0x10, 0x60, 0xb8, 0x17, 0x68, 0x65, 0x31, 0x2f, 0xbe, + 0xf5, 0x3f, 0x94, 0x25, 0xa7, 0x1b, 0x94, 0x06, 0x6f, 0xbe, 0x00, 0x28, 0x4e, 0x49, 0x2a, 0xc3, + 0x29, 0x49, 0x8e, 0xe5, 0xaf, 0x93, 0x92, 0xbc, 0xa2, 0x4b, 0x4e, 0x0f, 0x61, 0x66, 0x83, 0x52, + 0xce, 0x08, 0xba, 0x06, 0x55, 0x4c, 0xa9, 0x14, 0x78, 0x2e, 0x9e, 0x2b, 0x10, 0xfe, 0x5f, 0xb1, + 0x24, 0x40, 0x5b, 0x37, 0xa1, 0x11, 0x4f, 0x1d, 0x45, 0xb6, 0x91, 0x26, 0xbb, 0x06, 0x20, 0x73, + 0xee, 0x1d, 0x77, 0xdf, 0xe3, 0x2a, 0xe5, 0x8e, 0xa0, 0xb6, 0x8a, 0x6f, 0xfd, 0x56, 0x04, 0x21, + 0x78, 0x7b, 0x07, 0x6a, 0x16, 0x23, 0x4e, 0xc4, 0xdc, 0x4a, 0x9a, 0xb9, 0x04, 0x91, 0x21, 0x81, + 0xf4, 0x3f, 0xd7, 0xe1, 0x2c, 0xd7, 0xd8, 0x23, 0xe1, 0x42, 0x1b, 0x94, 0xde, 0x26, 0x0c, 0x5b, + 0x76, 0xf0, 0xbd, 0x90, 0xf8, 0x87, 0xaf, 0xd9, 0x30, 0x7a, 0x30, 0x2d, 0x3d, 0x50, 0x45, 0xcb, + 0x57, 0x5e, 0x7e, 0x29, 0xf4, 0x49, 0xcd, 0x55, 0x79, 0x3d, 0x35, 0x57, 0x51, 0x0d, 0x54, 0x3d, + 0xa1, 0x1a, 0x68, 0x74, 0x19, 0x9c, 0x2a, 0xae, 0xa7, 0xb3, 0xc5, 0x75, 0x41, 0x69, 0x31, 0x73, + 0xdc, 0xd2, 0xa2, 0x5e, 0x58, 0x5a, 0x38, 0x85, 0x7e, 0xdc, 0x10, 0xe2, 0xfe, 0x6e, 0xda, 0x02, + 0x47, 0xda, 0xda, 0x24, 0x45, 0x06, 0xbc, 0xd6, 0x22, 0xe3, 0xb3, 0x4c, 0xd1, 0x20, 0xcb, 0xf6, + 0xf7, 0x8e, 0x77, 0xa6, 0x31, 0xe5, 0xc3, 0xff, 0x5d, 0xea, 0xfd, 0x0b, 0x91, 0x71, 0x51, 0x2f, + 0x91, 0x41, 0x7c, 0xd9, 0xf3, 0x7b, 0x88, 0x5f, 0xbb, 0x2a, 0x68, 0xf1, 0x6f, 0x74, 0x15, 0xaa, + 0x5c, 0xc8, 0x2a, 0x25, 0x3e, 0x93, 0x96, 0x27, 0xd7, 0xc4, 0x06, 0xa5, 0x8f, 0x28, 0x31, 0x0d, + 0x01, 0x84, 0x6e, 0x41, 0x23, 0x36, 0x7c, 0xe5, 0x59, 0xe7, 0xd3, 0x3b, 0x62, 0x3f, 0x89, 0xb6, + 0x25, 0xe0, 0x7c, 0x6f, 0xd7, 0xf2, 0x89, 0x29, 0x12, 0xc6, 0xda, 0xf0, 0xde, 0xdb, 0xd1, 0x62, + 0xbc, 0x37, 0x06, 0x47, 0xd7, 0x60, 0x5a, 0xf6, 0x39, 0x84, 0x07, 0xcd, 0x5e, 0x3f, 0x3b, 0x1c, + 0x4c, 0xa3, 0x5d, 0x0a, 0x50, 0xff, 0x53, 0x09, 0xde, 0x4a, 0x0c, 0x22, 0xf2, 0xa6, 0x28, 0x67, + 0x7f, 0xf3, 0x37, 0xee, 0x25, 0x58, 0x10, 0x45, 0x42, 0xd2, 0xee, 0x90, 0x9d, 0xb7, 0xdc, 0xac, + 0xfe, 0xfb, 0x12, 0x5c, 0x1c, 0x3e, 0xc7, 0x66, 0x1f, 0xfb, 0x2c, 0x56, 0xef, 0x49, 0x9c, 0x25, + 0xba, 0xf0, 0xca, 0xc9, 0x85, 0x97, 0x39, 0x5f, 0x25, 0x7b, 0x3e, 0xfd, 0x8f, 0x65, 0x98, 0x4d, + 0x19, 0x50, 0xd1, 0x85, 0xc9, 0x93, 0x41, 0x61, 0xb7, 0xa2, 0x2c, 0x14, 0x97, 0x42, 0xc3, 0x48, + 0xcd, 0xa0, 0x01, 0x00, 0xc5, 0x3e, 0x76, 0x08, 0x23, 0x3e, 0x8f, 0xe4, 0xdc, 0xe3, 0xef, 0x4d, + 0x1e, 0x5d, 0xf6, 0x22, 0x9c, 0x46, 0x0a, 0x3d, 0xcf, 0x66, 0x05, 0xe9, 0x40, 0xc5, 0x6f, 0x35, + 0x42, 0x5f, 0xc2, 0xc2, 0xbe, 0x65, 0x93, 0xbd, 0x84, 0x91, 0x69, 0xc1, 0xc8, 0xc3, 0xc9, 0x19, + 0xb9, 0x9b, 0xc6, 0x6b, 0xe4, 0xc8, 0xe8, 0x57, 0xa0, 0x99, 0xf7, 0x27, 0xce, 0xa4, 0xe5, 0xe0, + 0x5e, 0x2c, 0x2d, 0x35, 0xd2, 0x11, 0x34, 0xf3, 0xfe, 0xa3, 0xff, 0xb3, 0x0c, 0xcb, 0x31, 0xba, + 0x0d, 0xd7, 0xf5, 0x42, 0xd7, 0x14, 0xad, 0xc3, 0x42, 0x5d, 0x9c, 0x86, 0x1a, 0xb3, 0x98, 0x1d, + 0x27, 0x3e, 0x62, 0xc0, 0xef, 0x2e, 0xe6, 0x79, 0x36, 0xb3, 0xa8, 0x52, 0x70, 0x34, 0x94, 0xba, + 0x7f, 0x16, 0x5a, 0x3e, 0xe9, 0x8a, 0x48, 0x50, 0x37, 0xe2, 0x31, 0x5f, 0xe3, 0x59, 0x8d, 0x48, + 0xf1, 0xa5, 0x30, 0xe3, 0xb1, 0xb0, 0x7b, 0xcf, 0xb6, 0x89, 0xc9, 0xc5, 0x91, 0x2a, 0x02, 0x72, + 0xb3, 0xa2, 0xb8, 0x60, 0xbe, 0xe5, 0xf6, 0x54, 0x09, 0xa0, 0x46, 0x9c, 0x4f, 0xec, 0xfb, 0xf8, + 0x50, 0x65, 0xfe, 0x72, 0x80, 0x3e, 0x84, 0x8a, 0x83, 0xa9, 0xba, 0xe8, 0xae, 0x64, 0xa2, 0x43, + 0x91, 0x04, 0xda, 0xbb, 0x98, 0xca, 0x9b, 0x80, 0x6f, 0x6b, 0xbd, 0x0f, 0xf5, 0x68, 0xe2, 0x6b, + 0xa5, 0x84, 0x5f, 0xc0, 0x7c, 0x26, 0xf8, 0xa0, 0x27, 0xb0, 0x92, 0x58, 0x54, 0x9a, 0xa0, 0x4a, + 0x02, 0xdf, 0x3a, 0x92, 0x33, 0x63, 0x04, 0x02, 0xfd, 0x19, 0x2c, 0x71, 0x93, 0x11, 0x8e, 0x7f, + 0x42, 0xa5, 0xcd, 0x07, 0xd0, 0x88, 0x49, 0x16, 0xda, 0x4c, 0x0b, 0xea, 0x07, 0x51, 0x4b, 0x57, + 0xd6, 0x36, 0xf1, 0x58, 0xdf, 0x00, 0x94, 0xe6, 0x57, 0xdd, 0x40, 0x57, 0xb3, 0x49, 0xf1, 0x72, + 0xfe, 0xba, 0x11, 0xe0, 0x51, 0x4e, 0xfc, 0xf7, 0x32, 0x2c, 0x6e, 0x59, 0xa2, 0x47, 0x72, 0x42, + 0x41, 0xee, 0x0a, 0x34, 0x83, 0xb0, 0xe3, 0x78, 0xdd, 0xd0, 0x26, 0x2a, 0x29, 0x50, 0x37, 0xfd, + 0xd0, 0xfc, 0xb8, 0xe0, 0xc7, 0x85, 0x45, 0x31, 0xeb, 0xab, 0xea, 0x57, 0x7c, 0xa3, 0x0f, 0xe1, + 0xec, 0x03, 0xf2, 0xa5, 0x3a, 0xcf, 0x96, 0xed, 0x75, 0x3a, 0x96, 0xdb, 0x8b, 0x88, 0xd4, 0x04, + 0x91, 0xd1, 0x00, 0x45, 0xa9, 0xe2, 0x74, 0x71, 0xaa, 0x18, 0x57, 0xd0, 0x9b, 0x9e, 0xe3, 0x58, + 0x4c, 0x65, 0x94, 0x99, 0x39, 0xfd, 0xe7, 0x25, 0x68, 0x26, 0x92, 0x55, 0xba, 0xb9, 0x29, 0x7d, + 0x48, 0x6a, 0xe6, 0x62, 0x5a, 0x33, 0x79, 0xd0, 0x97, 0x77, 0x9f, 0xb9, 0xb4, 0xfb, 0xfc, 0xaa, + 0x0c, 0xcb, 0x5b, 0x16, 0x8b, 0x02, 0x97, 0xf5, 0xbf, 0xa6, 0xe5, 0x02, 0x9d, 0x54, 0x8f, 0xa7, + 0x93, 0x5a, 0x81, 0x4e, 0xda, 0xb0, 0x92, 0x17, 0x86, 0x52, 0xcc, 0x69, 0xa8, 0x51, 0xd1, 0x74, + 0x96, 0x7d, 0x05, 0x39, 0xd0, 0xff, 0x5d, 0x87, 0x0b, 0x9f, 0xd1, 0x2e, 0x66, 0x71, 0xcf, 0xe8, + 0xae, 0xe7, 0x8b, 0xae, 0xf3, 0xc9, 0x48, 0x31, 0xf7, 0x32, 0x58, 0x1e, 0xfb, 0x32, 0x58, 0x19, + 0xf3, 0x32, 0x58, 0x3d, 0xd6, 0xcb, 0x60, 0xed, 0xc4, 0x5e, 0x06, 0x87, 0x6b, 0xad, 0xe9, 0xc2, + 0x5a, 0xeb, 0x49, 0xa6, 0x1e, 0x99, 0x11, 0x6e, 0xf3, 0x9d, 0xb4, 0xdb, 0x8c, 0xd5, 0xce, 0xd8, + 0x27, 0x8d, 0xdc, 0x83, 0x5a, 0xfd, 0xc8, 0x07, 0xb5, 0xc6, 0xf0, 0x83, 0x5a, 0xf1, 0x9b, 0x0c, + 0x8c, 0x7c, 0x93, 0xb9, 0x04, 0x0b, 0xc1, 0xa1, 0x6b, 0x92, 0x6e, 0xdc, 0x49, 0x9c, 0x95, 0xc7, + 0xce, 0xce, 0x66, 0x3c, 0x62, 0x2e, 0xe7, 0x11, 0xb1, 0xa5, 0xce, 0xa7, 0x2c, 0xb5, 0xc8, 0x4f, + 0x16, 0x46, 0x96, 0xb9, 0xb9, 0xe7, 0x92, 0xc5, 0xa2, 0xe7, 0x12, 0x34, 0x80, 0x66, 0xc4, 0x55, + 0xac, 0x80, 0xa6, 0x50, 0xc0, 0xc7, 0xc7, 0x57, 0xc0, 0xa3, 0x1c, 0x06, 0xa9, 0x86, 0x21, 0xc4, + 0xff, 0x35, 0x95, 0x5d, 0xeb, 0xd7, 0x25, 0x58, 0x2e, 0x64, 0xfa, 0xcd, 0x14, 0x9a, 0x9f, 0xc3, + 0xea, 0x28, 0x01, 0xab, 0xc0, 0xa5, 0xc1, 0x8c, 0xd9, 0xc7, 0x6e, 0x4f, 0xb4, 0x44, 0x45, 0xe7, + 0x43, 0x0d, 0xc7, 0x55, 0x46, 0xd7, 0xbf, 0x9a, 0x83, 0xa5, 0xa4, 0xe2, 0xe1, 0x7f, 0x2d, 0x93, + 0xa0, 0x87, 0xd0, 0x8c, 0x9e, 0xd6, 0xa2, 0x26, 0x36, 0x1a, 0xf7, 0x6e, 0xd4, 0x3a, 0x5f, 0xbc, + 0x28, 0x59, 0xd3, 0xa7, 0x90, 0x09, 0x67, 0xf3, 0x08, 0x93, 0x27, 0xaa, 0x6f, 0x8d, 0xc1, 0x1c, + 0x43, 0x1d, 0x45, 0xe2, 0x72, 0x09, 0x3d, 0x81, 0x85, 0xec, 0x43, 0x0a, 0xca, 0xa4, 0x80, 0x85, + 0x6f, 0x3b, 0x2d, 0x7d, 0x1c, 0x48, 0xcc, 0xff, 0x53, 0x6e, 0x95, 0x99, 0x37, 0x03, 0xa4, 0x67, + 0xbb, 0x21, 0x45, 0xaf, 0x2e, 0xad, 0x6f, 0x8e, 0x85, 0x89, 0xb1, 0x7f, 0x00, 0xf5, 0xa8, 0x8f, + 0x9e, 0x15, 0x73, 0xae, 0xbb, 0xde, 0x6a, 0x66, 0xf1, 0xed, 0x07, 0xfa, 0x14, 0xfa, 0x08, 0x66, + 0x39, 0xd8, 0xc3, 0xcd, 0x9d, 0xc7, 0xb8, 0xf7, 0x52, 0xfb, 0xeb, 0x51, 0x9f, 0x79, 0x78, 0x73, + 0xaa, 0xfb, 0xdc, 0x3a, 0x55, 0xd0, 0xf1, 0xd5, 0xa7, 0xd0, 0xc7, 0x92, 0xfe, 0x9e, 0xfa, 0x69, + 0xc4, 0x4a, 0x5b, 0xfe, 0x12, 0xa7, 0x1d, 0xfd, 0x12, 0xa7, 0x7d, 0xc7, 0xa1, 0xec, 0xb0, 0x55, + 0xd0, 0x92, 0x55, 0x08, 0x9e, 0xc2, 0xfc, 0x16, 0x61, 0x49, 0x07, 0x05, 0x5d, 0x3c, 0x56, 0x9f, + 0xa9, 0xa5, 0xe7, 0xc1, 0x86, 0x9b, 0x30, 0xfa, 0x14, 0xfa, 0xaa, 0x04, 0xa7, 0xb6, 0x08, 0xcb, + 0xf7, 0x24, 0xd0, 0xbb, 0xc5, 0x44, 0x46, 0xf4, 0x2e, 0x5a, 0x0f, 0x26, 0xf5, 0xe9, 0x2c, 0x5a, + 0x7d, 0x0a, 0xfd, 0xa6, 0x04, 0x0b, 0x5b, 0x84, 0xeb, 0x2d, 0xe6, 0xe9, 0xda, 0x78, 0x9e, 0x0a, + 0xfa, 0x10, 0xad, 0x09, 0xfb, 0x7f, 0x29, 0xea, 0xfa, 0x14, 0xfa, 0x6d, 0x09, 0xce, 0xa4, 0x64, + 0x95, 0xa6, 0xf7, 0x32, 0xbc, 0x7d, 0x3a, 0xe1, 0x8f, 0x70, 0x52, 0x28, 0xf5, 0x29, 0xb4, 0x27, + 0xcc, 0x24, 0x29, 0x73, 0xd0, 0x85, 0xc2, 0x7a, 0x26, 0xa6, 0xbe, 0x3a, 0x6a, 0x39, 0x36, 0x8d, + 0x4f, 0x61, 0x76, 0x8b, 0xb0, 0x28, 0xdf, 0xce, 0x1a, 0x7f, 0xae, 0x14, 0xca, 0x46, 0x9f, 0x7c, + 0x8a, 0x2e, 0x8c, 0x78, 0x49, 0xe2, 0x4a, 0xe5, 0x94, 0xd9, 0xf0, 0x53, 0x98, 0x7c, 0x67, 0x8d, + 0xb8, 0x38, 0x25, 0xd5, 0xa7, 0xd0, 0x33, 0x58, 0x29, 0x8e, 0xfe, 0xe8, 0xed, 0x63, 0x5f, 0xc1, + 0xad, 0x2b, 0xc7, 0x01, 0x8d, 0x48, 0x7e, 0xb2, 0xf1, 0x97, 0x17, 0xab, 0xa5, 0xbf, 0xbe, 0x58, + 0x2d, 0xfd, 0xeb, 0xc5, 0x6a, 0xe9, 0x07, 0x37, 0x8e, 0xf8, 0xb1, 0x5e, 0xea, 0xf7, 0x7f, 0x98, + 0x5a, 0xa6, 0x6d, 0x11, 0x97, 0x75, 0xa6, 0x45, 0x08, 0xb8, 0xf1, 0x9f, 0x00, 0x00, 0x00, 0xff, + 0xff, 0xaa, 0x40, 0x0c, 0xdc, 0x1e, 0x28, 0x00, 0x00, } // Reference imports to suppress errors if they are not otherwise used. @@ -5385,6 +5396,34 @@ func (m *UpdateRevisionForPathsRequest) MarshalToSizedBuffer(dAtA []byte) (int, i -= len(m.XXX_unrecognized) copy(dAtA[i:], m.XXX_unrecognized) } + if len(m.SyncedRefSources) > 0 { + for k := range m.SyncedRefSources { + v := m.SyncedRefSources[k] + baseI := i + if v != nil { + { + size, err := v.MarshalToSizedBuffer(dAtA[:i]) + if err != nil { + return 0, err + } + i -= size + i = encodeVarintRepository(dAtA, i, uint64(size)) + } + i-- + dAtA[i] = 0x12 + } + i -= len(k) + copy(dAtA[i:], k) + i = encodeVarintRepository(dAtA, i, uint64(len(k))) + i-- + dAtA[i] = 0xa + i = encodeVarintRepository(dAtA, i, uint64(baseI-i)) + i-- + dAtA[i] = 0x1 + i-- + dAtA[i] = 0x82 + } + } if len(m.InstallationID) > 0 { i -= len(m.InstallationID) copy(dAtA[i:], m.InstallationID) @@ -6571,6 +6610,19 @@ func (m *UpdateRevisionForPathsRequest) Size() (n int) { if l > 0 { n += 1 + l + sovRepository(uint64(l)) } + if len(m.SyncedRefSources) > 0 { + for k, v := range m.SyncedRefSources { + _ = k + _ = v + l = 0 + if v != nil { + l = v.Size() + l += 1 + sovRepository(uint64(l)) + } + mapEntrySize := 1 + len(k) + sovRepository(uint64(len(k))) + l + n += mapEntrySize + 2 + sovRepository(uint64(mapEntrySize)) + } + } if m.XXX_unrecognized != nil { n += len(m.XXX_unrecognized) } @@ -12921,6 +12973,135 @@ func (m *UpdateRevisionForPathsRequest) Unmarshal(dAtA []byte) error { } m.InstallationID = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 16: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field SyncedRefSources", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowRepository + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthRepository + } + postIndex := iNdEx + msglen + if postIndex < 0 { + return ErrInvalidLengthRepository + } + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.SyncedRefSources == nil { + m.SyncedRefSources = make(map[string]*v1alpha1.RefTarget) + } + var mapkey string + var mapvalue *v1alpha1.RefTarget + for iNdEx < postIndex { + entryPreIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowRepository + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + if fieldNum == 1 { + var stringLenmapkey uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowRepository + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLenmapkey |= uint64(b&0x7F) << shift + if b < 0x80 { + break + } + } + intStringLenmapkey := int(stringLenmapkey) + if intStringLenmapkey < 0 { + return ErrInvalidLengthRepository + } + postStringIndexmapkey := iNdEx + intStringLenmapkey + if postStringIndexmapkey < 0 { + return ErrInvalidLengthRepository + } + if postStringIndexmapkey > l { + return io.ErrUnexpectedEOF + } + mapkey = string(dAtA[iNdEx:postStringIndexmapkey]) + iNdEx = postStringIndexmapkey + } else if fieldNum == 2 { + var mapmsglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowRepository + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + mapmsglen |= int(b&0x7F) << shift + if b < 0x80 { + break + } + } + if mapmsglen < 0 { + return ErrInvalidLengthRepository + } + postmsgIndex := iNdEx + mapmsglen + if postmsgIndex < 0 { + return ErrInvalidLengthRepository + } + if postmsgIndex > l { + return io.ErrUnexpectedEOF + } + mapvalue = &v1alpha1.RefTarget{} + if err := mapvalue.Unmarshal(dAtA[iNdEx:postmsgIndex]); err != nil { + return err + } + iNdEx = postmsgIndex + } else { + iNdEx = entryPreIndex + skippy, err := skipRepository(dAtA[iNdEx:]) + if err != nil { + return err + } + if (skippy < 0) || (iNdEx+skippy) < 0 { + return ErrInvalidLengthRepository + } + if (iNdEx + skippy) > postIndex { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + m.SyncedRefSources[mapkey] = mapvalue + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipRepository(dAtA[iNdEx:]) diff --git a/reposerver/cache/cache.go b/reposerver/cache/cache.go index 075f46b18d..193070850c 100644 --- a/reposerver/cache/cache.go +++ b/reposerver/cache/cache.go @@ -7,11 +7,11 @@ import ( "fmt" "hash/fnv" "math" - "sort" + "slices" "strings" "time" - "github.com/argoproj/gitops-engine/pkg/utils/text" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/text" "github.com/go-git/go-git/v5/plumbing" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -20,6 +20,7 @@ import ( "github.com/argoproj/argo-cd/v3/reposerver/apiclient" cacheutil "github.com/argoproj/argo-cd/v3/util/cache" "github.com/argoproj/argo-cd/v3/util/env" + "github.com/argoproj/argo-cd/v3/util/git" "github.com/argoproj/argo-cd/v3/util/hash" ) @@ -98,9 +99,12 @@ func refTargetForCacheKeyFromRefTarget(refTarget *appv1.RefTarget) refTargetForC type refTargetRevisionMappingForCacheKey map[string]refTargetForCacheKey -func getRefTargetRevisionMappingForCacheKey(refTargetRevisionMapping appv1.RefTargetRevisionMapping) refTargetRevisionMappingForCacheKey { +func getRefTargetRevisionMappingForCacheKey(refTargetRevisionMapping appv1.RefTargetRevisionMapping, refSourceCommitSHAs ResolvedRevisions) refTargetRevisionMappingForCacheKey { res := make(refTargetRevisionMappingForCacheKey) + for k, v := range refTargetRevisionMapping { + // forcefully update TargetRevision based on refSourceCommitSHAs so that the resolved revision is always stored in the cache + v.TargetRevision = refSourceCommitSHAs[git.NormalizeGitURL(v.Repo.Repo)] res[k] = refTargetForCacheKeyFromRefTarget(v) } return res @@ -129,7 +133,7 @@ func appSourceKeyJSON(appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRe } appSrcStr, _ := json.Marshal(appSourceKeyStruct{ AppSrc: appSrc, - SrcRefs: getRefTargetRevisionMappingForCacheKey(srcRefs), + SrcRefs: getRefTargetRevisionMappingForCacheKey(srcRefs, refSourceCommitSHAs), ResolvedRevisions: refSourceCommitSHAs, }) return string(appSrcStr) @@ -147,9 +151,7 @@ func clusterRuntimeInfoKey(info ClusterRuntimeInfo) uint32 { // check if info is nil, the caller must do that. func clusterRuntimeInfoKeyUnhashed(info ClusterRuntimeInfo) string { apiVersions := info.GetApiVersions() - sort.Slice(apiVersions, func(i, j int) bool { - return apiVersions[i] < apiVersions[j] - }) + slices.Sort(apiVersions) return info.GetKubeVersion() + "|" + strings.Join(apiVersions, ",") } @@ -328,6 +330,7 @@ func manifestCacheKey(revision string, appSrc *appv1.ApplicationSource, srcRefs // example, revision could be part of ResolvedRevisions. And srcRefs is probably redundant now that // refSourceCommitSHAs has been added. We don't need to know the _target_ revisions of the referenced sources // when the _resolved_ revisions are already part of the key. + trackingKey := trackingKey(appLabelKey, trackingMethod) key := fmt.Sprintf("mfst|%s|%s|%s|%s|%d", trackingKey, appName, revision, namespace, appSourceKey(appSrc, srcRefs, refSourceCommitSHAs)+clusterRuntimeInfoKey(info)) if installationID != "" { @@ -360,9 +363,9 @@ func LogDebugManifestCacheKeyFields(message string, reason string, revision stri } } -func (c *Cache) SetNewRevisionManifests(newRevision string, revision string, appSrc *appv1.ApplicationSource, srcRefs appv1.RefTargetRevisionMapping, clusterInfo ClusterRuntimeInfo, namespace string, trackingMethod string, appLabelKey string, appName string, refSourceCommitSHAs ResolvedRevisions, installationID string) error { - oldKey := manifestCacheKey(revision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs, installationID) - newKey := manifestCacheKey(newRevision, appSrc, srcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, refSourceCommitSHAs, installationID) +func (c *Cache) SetNewRevisionManifests(newRevision string, revision string, appSrc *appv1.ApplicationSource, oldSrcRefs appv1.RefTargetRevisionMapping, newSrcRefs appv1.RefTargetRevisionMapping, clusterInfo ClusterRuntimeInfo, namespace string, trackingMethod string, appLabelKey string, appName string, oldRefSourceCommitSHAs ResolvedRevisions, newRefSourceCommitSHAs ResolvedRevisions, installationID string) error { + oldKey := manifestCacheKey(revision, appSrc, oldSrcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, oldRefSourceCommitSHAs, installationID) + newKey := manifestCacheKey(newRevision, appSrc, newSrcRefs, namespace, trackingMethod, appLabelKey, appName, clusterInfo, newRefSourceCommitSHAs, installationID) return c.cache.RenameItem(oldKey, newKey, c.repoCacheExpiration) } diff --git a/reposerver/repository/repository.go b/reposerver/repository/repository.go index 75f1af3670..c87af7fe01 100644 --- a/reposerver/repository/repository.go +++ b/reposerver/repository/repository.go @@ -22,8 +22,8 @@ import ( "github.com/argoproj/argo-cd/v3/util/oci" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - textutils "github.com/argoproj/gitops-engine/pkg/utils/text" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + textutils "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/text" "github.com/argoproj/pkg/v2/sync" jsonpatch "github.com/evanphx/json-patch" gogit "github.com/go-git/go-git/v5" @@ -1122,9 +1122,9 @@ func getHelmDependencyRepos(appPath string) ([]*v1alpha1.Repository, error) { repos = append(repos, &v1alpha1.Repository{ Name: r.Repository[1:], }) - } else if strings.HasPrefix(r.Repository, "alias:") { + } else if after, ok := strings.CutPrefix(r.Repository, "alias:"); ok { repos = append(repos, &v1alpha1.Repository{ - Name: strings.TrimPrefix(r.Repository, "alias:"), + Name: after, }) } else if u, err := url.Parse(r.Repository); err == nil && (u.Scheme == "https" || u.Scheme == "oci") { repo := &v1alpha1.Repository{ @@ -1540,6 +1540,9 @@ func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string, KubeVersion: kubeVersion, APIVersions: q.ApplicationSource.GetAPIVersionsOrDefault(q.ApiVersions), }) + if err != nil { + return nil, err + } case v1alpha1.ApplicationSourceTypePlugin: pluginName := "" if q.ApplicationSource.Plugin != nil { @@ -1548,7 +1551,7 @@ func GenerateManifests(ctx context.Context, appPath, repoRoot, revision string, // if pluginName is provided it has to be `-` or just `` if plugin version is empty targetObjs, err = runConfigManagementPluginSidecars(ctx, appPath, repoRoot, pluginName, env, q, q.Repo.GetGitCreds(gitCredsStore), opt.cmpTarDoneCh, opt.cmpTarExcludedGlobs, opt.cmpUseManifestGeneratePaths) if err != nil { - err = fmt.Errorf("CMP processing failed for application %q: %w", q.AppName, err) + return nil, fmt.Errorf("CMP processing failed for application %q: %w", q.AppName, err) } case v1alpha1.ApplicationSourceTypeDirectory: var directory *v1alpha1.ApplicationSourceDirectory @@ -3032,44 +3035,30 @@ func (s *Service) GetGitDirectories(_ context.Context, request *apiclient.GitDir }, nil } -// UpdateRevisionForPaths compares two git revisions and checks if the files in the given paths have changed -// If no files were changed, it will store the already cached manifest to the key corresponding to the old revision, avoiding an unnecessary generation. -// Example: cache has key "a1a1a1" with manifest "x", and the files for that manifest have not changed, -// "x" will be stored again with the new revision "b2b2b2". -func (s *Service) UpdateRevisionForPaths(_ context.Context, request *apiclient.UpdateRevisionForPathsRequest) (*apiclient.UpdateRevisionForPathsResponse, error) { - logCtx := log.WithFields(log.Fields{"application": request.AppName, "appNamespace": request.Namespace}) - - repo := request.GetRepo() - revision := request.GetRevision() - syncedRevision := request.GetSyncedRevision() - refreshPaths := request.GetPaths() - +func (s *Service) gitSourceHasChanges(repo *v1alpha1.Repository, revision, syncedRevision string, refreshPaths []string, gitClientOpts git.ClientOpts) (string, string, bool, error) { if repo == nil { - return nil, status.Error(codes.InvalidArgument, "must pass a valid repo") + return revision, syncedRevision, true, status.Error(codes.InvalidArgument, "must pass a valid repo") } if len(refreshPaths) == 0 { // Always refresh if path is not specified - return &apiclient.UpdateRevisionForPathsResponse{}, nil + return revision, syncedRevision, true, nil } - gitClientOpts := git.WithCache(s.cache, !request.NoRevisionCache) gitClient, revision, err := s.newClientResolveRevision(repo, revision, gitClientOpts) if err != nil { - return nil, status.Errorf(codes.Internal, "unable to resolve git revision %s: %v", revision, err) + return revision, syncedRevision, true, status.Errorf(codes.Internal, "unable to resolve git revision %s: %v", revision, err) } syncedRevision, err = gitClient.LsRemote(syncedRevision) if err != nil { s.metricsServer.IncGitLsRemoteFail(gitClient.Root(), revision) - return nil, status.Errorf(codes.Internal, "unable to resolve git revision %s: %v", revision, err) + return revision, syncedRevision, true, status.Errorf(codes.Internal, "unable to resolve git revision %s: %v", revision, err) } // No need to compare if it is the same revision if revision == syncedRevision { - return &apiclient.UpdateRevisionForPathsResponse{ - Revision: revision, - }, nil + return revision, syncedRevision, false, nil } s.metricsServer.IncPendingRepoRequest(repo.Repo) @@ -3079,17 +3068,17 @@ func (s *Service) UpdateRevisionForPaths(_ context.Context, request *apiclient.U return s.checkoutRevision(gitClient, revision, false, 0) }) if err != nil { - return nil, status.Errorf(codes.Internal, "unable to checkout git repo %s with revision %s: %v", repo.Repo, revision, err) + return revision, syncedRevision, true, status.Errorf(codes.Internal, "unable to checkout git repo %s with revision %s: %v", repo.Repo, revision, err) } defer utilio.Close(closer) if err := s.fetch(gitClient, []string{syncedRevision}); err != nil { - return nil, status.Errorf(codes.Internal, "unable to fetch git repo %s with syncedRevisions %s: %v", repo.Repo, syncedRevision, err) + return revision, syncedRevision, true, status.Errorf(codes.Internal, "unable to fetch git repo %s with syncedRevisions %s: %v", repo.Repo, syncedRevision, err) } files, err := gitClient.ChangedFiles(syncedRevision, revision) if err != nil { - return nil, status.Errorf(codes.Internal, "unable to get changed files for repo %s with revision %s: %v", repo.Repo, revision, err) + return revision, syncedRevision, true, status.Errorf(codes.Internal, "unable to get changed files for repo %s with revision %s: %v", repo.Repo, revision, err) } changed := false @@ -3097,50 +3086,160 @@ func (s *Service) UpdateRevisionForPaths(_ context.Context, request *apiclient.U changed = apppathutil.AppFilesHaveChanged(refreshPaths, files) } - if !changed { - logCtx.Debugf("no changes found for application %s in repo %s from revision %s to revision %s", request.AppName, repo.Repo, syncedRevision, revision) + return revision, syncedRevision, changed, nil +} - err := s.updateCachedRevision(logCtx, syncedRevision, revision, request, gitClientOpts) - if err != nil { - // Only warn with the error, no need to block anything if there is a caching error. - logCtx.Warnf("error updating cached revision for repo %s with revision %s: %v", repo.Repo, revision, err) - return &apiclient.UpdateRevisionForPathsResponse{ - Revision: revision, - }, nil +// UpdateRevisionForPaths compares git revisions for single and multi-source applications +// and determines whether files in the specified paths have changed. +// +// For single-source applications, only the main git repository revision is compared. +// For multi-source applications, all related ref sources are compared (multiple git repositories +// referenced via `ref` in Helm value files). +// +// If no changes are detected, but revisions have advanced, the already cached manifest is copied +// from the old revision key to the new one, avoiding unnecessary regeneration. +// +// Example: cache contains manifest "x" under revision "a1a1a1". If the revision moves to "b2b2b2" +// and no relevant files have changed, "x" will be stored again under the new revision key. +func (s *Service) UpdateRevisionForPaths(_ context.Context, request *apiclient.UpdateRevisionForPathsRequest) (*apiclient.UpdateRevisionForPathsResponse, error) { + logCtx := log.WithFields(log.Fields{"application": request.AppName, "appNamespace": request.Namespace}) + + // Store resolved revisions for cache update + newRepoRefs := make(map[string]string, 0) + oldRepoRefs := make(map[string]string, 0) + rRevision := request.Revision + sRevision := request.SyncedRevision + revisionsAreDifferent := false + repo := request.GetRepo() + refreshPaths := request.GetPaths() + + if repo == nil { + return nil, status.Error(codes.InvalidArgument, "must pass a valid repo") + } + + if len(refreshPaths) == 0 { + // Always refresh if path is not specified + return &apiclient.UpdateRevisionForPathsResponse{Changes: true}, nil + } + + // Check that request has git repositories on check + if repo.Type != "git" && len(request.RefSources) == 0 { + return &apiclient.UpdateRevisionForPathsResponse{}, nil + } + + gitClientOpts := git.WithCache(s.cache, !request.NoRevisionCache) + + if repo.Type == "git" { + if request.SyncedRevision != request.Revision { + resolvedRevision, syncedRevision, sourceHasChanges, err := s.gitSourceHasChanges(request.Repo, request.Revision, request.SyncedRevision, refreshPaths, gitClientOpts) + if err != nil { + return nil, err + } + rRevision = resolvedRevision + sRevision = syncedRevision + + if resolvedRevision != syncedRevision { + revisionsAreDifferent = true + } + + if sourceHasChanges { + logCtx.Debugf("changes found for application %s in repo %s from revision %s to revision %s", request.AppName, request.Repo.Repo, syncedRevision, resolvedRevision) + return &apiclient.UpdateRevisionForPathsResponse{ + Revision: rRevision, + Changes: true, + }, nil + } } + } + // Only SyncedRefSources that refer to a specific source should be compared + refsToCompare := v1alpha1.RefTargetRevisionMapping{} + + refCandidates := make([]string, 0) + if request.HasMultipleSources && request.ApplicationSource.Helm != nil { + refFileParams := make([]string, 0) + for _, fileParam := range request.ApplicationSource.Helm.FileParameters { + refFileParams = append(refFileParams, fileParam.Path) + } + refCandidates = append(request.ApplicationSource.Helm.ValueFiles, refFileParams...) + } + + for _, valueFile := range refCandidates { + if !strings.HasPrefix(valueFile, "$") { + continue + } + refName := strings.Split(valueFile, "/")[0] + if _, ok := refsToCompare[refName]; ok { + continue + } + sRefSource, ok := request.SyncedRefSources[refName] + if !ok { + return &apiclient.UpdateRevisionForPathsResponse{Changes: true, Revision: rRevision}, fmt.Errorf("source referenced %q, but no source has a 'ref' field defined", refName) + } + refsToCompare[refName] = sRefSource + } + + for refName, sRefSource := range refsToCompare { + resolvedRevision := sRefSource.TargetRevision + syncedRevision := sRefSource.TargetRevision + var sourceHasChanges bool + var err error + + if sRefSource.TargetRevision != request.RefSources[refName].TargetRevision { + resolvedRevision, syncedRevision, sourceHasChanges, err = s.gitSourceHasChanges(&sRefSource.Repo, request.RefSources[refName].TargetRevision, sRefSource.TargetRevision, refreshPaths, gitClientOpts) + if err != nil { + return nil, err + } + + if resolvedRevision != syncedRevision { + revisionsAreDifferent = true + } + + if sourceHasChanges { + logCtx.Debugf("changes found for application %s in repo %s from revision %s to revision %s", request.AppName, sRefSource.Repo.Repo, syncedRevision, resolvedRevision) + return &apiclient.UpdateRevisionForPathsResponse{ + Revision: rRevision, + Changes: true, + }, nil + } + } + // Store resolved revision for cache update + normalizedURL := git.NormalizeGitURL(sRefSource.Repo.Repo) + newRepoRefs[normalizedURL] = resolvedRevision + oldRepoRefs[normalizedURL] = syncedRevision + } + + // this check is necessary to ensure that revisions have changed since the last sync + if !revisionsAreDifferent { return &apiclient.UpdateRevisionForPathsResponse{ - Revision: revision, + Changes: false, + Revision: rRevision, + }, nil + } + + // No changes detected, update the cache using resolved revisions + err := s.updateCachedRevision(logCtx, sRevision, rRevision, request, oldRepoRefs, newRepoRefs) + if err != nil { + // Only warn with the error, no need to block anything if there is a caching error. + logCtx.Warnf("error updating cached revision for source %s with revision %s: %v", request.ApplicationSource.RepoURL, rRevision, err) + return &apiclient.UpdateRevisionForPathsResponse{ + Revision: rRevision, + Changes: true, }, nil } - logCtx.Debugf("changes found for application %s in repo %s from revision %s to revision %s", request.AppName, repo.Repo, syncedRevision, revision) return &apiclient.UpdateRevisionForPathsResponse{ - Revision: revision, - Changes: true, + Revision: rRevision, + Changes: false, }, nil } -func (s *Service) updateCachedRevision(logCtx *log.Entry, oldRev string, newRev string, request *apiclient.UpdateRevisionForPathsRequest, gitClientOpts git.ClientOpts) error { - repoRefs := make(map[string]string) - if request.HasMultipleSources && request.ApplicationSource.Helm != nil { - var err error - repoRefs, err = resolveReferencedSources(true, request.ApplicationSource.Helm, request.RefSources, s.newClientResolveRevision, gitClientOpts) - if err != nil { - return fmt.Errorf("failed to get repo refs for application %s in repo %s from revision %s: %w", request.AppName, request.GetRepo().Repo, request.Revision, err) - } - - // Update revision in refSource - for normalizedURL := range repoRefs { - repoRefs[normalizedURL] = newRev - } - } - - err := s.cache.SetNewRevisionManifests(newRev, oldRev, request.ApplicationSource, request.RefSources, request, request.Namespace, request.TrackingMethod, request.AppLabelKey, request.AppName, repoRefs, request.InstallationID) +func (s *Service) updateCachedRevision(logCtx *log.Entry, oldRev string, newRev string, request *apiclient.UpdateRevisionForPathsRequest, oldRepoRefs map[string]string, newRepoRefs map[string]string) error { + err := s.cache.SetNewRevisionManifests(newRev, oldRev, request.ApplicationSource, request.RefSources, request.RefSources, request, request.Namespace, request.TrackingMethod, request.AppLabelKey, request.AppName, oldRepoRefs, newRepoRefs, request.InstallationID) if err != nil { if errors.Is(err, cache.ErrCacheMiss) { logCtx.Debugf("manifest cache miss during comparison for application %s in repo %s from revision %s", request.AppName, request.GetRepo().Repo, oldRev) - return nil + return fmt.Errorf("manifest cache miss during comparison for application %s in repo %s from revision %s", request.AppName, request.GetRepo().Repo, oldRev) } return fmt.Errorf("manifest cache move error for %s: %w", request.AppName, err) } diff --git a/reposerver/repository/repository.proto b/reposerver/repository/repository.proto index b52ccf841b..25c9fef010 100644 --- a/reposerver/repository/repository.proto +++ b/reposerver/repository/repository.proto @@ -286,6 +286,8 @@ message UpdateRevisionForPathsRequest { bool noRevisionCache = 14; string installationID = 15; + + map syncedRefSources = 16; } message UpdateRevisionForPathsResponse { diff --git a/reposerver/repository/repository_test.go b/reposerver/repository/repository_test.go index 49e177e14a..dd53ca383f 100644 --- a/reposerver/repository/repository_test.go +++ b/reposerver/repository/repository_test.go @@ -521,7 +521,7 @@ func TestGenerateManifestsHelmWithRefs_CachedNoLsRemote(t *testing.T) { require.NoError(t, err) cacheMocks.mockCache.AssertCacheCalledTimes(t, &repositorymocks.CacheCallCounts{ ExternalSets: 2, - ExternalGets: 5, + ExternalGets: 4, }) } @@ -949,7 +949,7 @@ func TestManifestGenErrorCacheFileContentsChange(t *testing.T) { PauseGenerationOnFailureForRequests: 4, } - for step := 0; step < 3; step++ { + for step := range 3 { // step 1) Attempt to generate manifests against invalid helm chart (should return uncached error) // step 2) Attempt to generate manifest against valid helm chart (should succeed and return valid response) // step 3) Attempt to generate manifest against invalid helm chart (should return cached value from step 2) @@ -1028,7 +1028,7 @@ func TestManifestGenErrorCacheByMinutesElapsed(t *testing.T) { } // 1) Put the cache into the failure state - for x := 0; x < 2; x++ { + for x := range 2 { res, err := service.GenerateManifest(t.Context(), &apiclient.ManifestRequest{ Repo: &v1alpha1.Repository{}, AppName: "test", @@ -1088,7 +1088,7 @@ func TestManifestGenErrorCacheRespectsNoCache(t *testing.T) { } // 1) Put the cache into the failure state - for x := 0; x < 2; x++ { + for x := range 2 { res, err := service.GenerateManifest(t.Context(), &apiclient.ManifestRequest{ Repo: &v1alpha1.Repository{}, AppName: "test", @@ -3848,6 +3848,7 @@ func TestErrorUpdateRevisionForPaths(t *testing.T) { Repo: nil, Revision: "HEAD", SyncedRevision: "sadfsadf", + Paths: []string{"."}, }, }, want: nil, wantErr: assert.Error}, {name: "InvalidResolveRevision", fields: fields{service: func() *Service { @@ -3862,7 +3863,7 @@ func TestErrorUpdateRevisionForPaths(t *testing.T) { }()}, args: args{ ctx: t.Context(), request: &apiclient.UpdateRevisionForPathsRequest{ - Repo: &v1alpha1.Repository{Repo: "not-a-valid-url"}, + Repo: &v1alpha1.Repository{Repo: "not-a-valid-url", Type: "git"}, Revision: "sadfsadf", SyncedRevision: "HEAD", Paths: []string{"."}, @@ -3881,7 +3882,7 @@ func TestErrorUpdateRevisionForPaths(t *testing.T) { }()}, args: args{ ctx: t.Context(), request: &apiclient.UpdateRevisionForPathsRequest{ - Repo: &v1alpha1.Repository{Repo: "not-a-valid-url"}, + Repo: &v1alpha1.Repository{Repo: "not-a-valid-url", Type: "git"}, Revision: "HEAD", SyncedRevision: "sadfsadf", Paths: []string{"."}, @@ -3932,10 +3933,12 @@ func TestUpdateRevisionForPaths(t *testing.T) { }(), args: args{ ctx: t.Context(), request: &apiclient.UpdateRevisionForPathsRequest{ - Repo: &v1alpha1.Repository{Repo: "a-url.com"}, - Paths: []string{}, + Repo: &v1alpha1.Repository{Repo: "a-url.com", Type: "git"}, + Revision: "", + SyncedRevision: "", + Paths: []string{}, }, - }, want: &apiclient.UpdateRevisionForPathsResponse{}, wantErr: assert.NoError}, + }, want: &apiclient.UpdateRevisionForPathsResponse{Changes: true}, wantErr: assert.NoError}, {name: "SameResolvedRevisionAbort", fields: func() fields { s, _, c := newServiceWithOpt(t, func(gitClient *gitmocks.Client, _ *helmmocks.Client, _ *ocimocks.Client, paths *iomocks.TempPaths) { gitClient.EXPECT().Checkout(mock.Anything, mock.Anything).Return("", nil) @@ -3951,7 +3954,7 @@ func TestUpdateRevisionForPaths(t *testing.T) { }(), args: args{ ctx: t.Context(), request: &apiclient.UpdateRevisionForPathsRequest{ - Repo: &v1alpha1.Repository{Repo: "a-url.com"}, + Repo: &v1alpha1.Repository{Repo: "a-url.com", Type: "git"}, Revision: "HEAD", SyncedRevision: "SYNCEDHEAD", Paths: []string{"."}, @@ -3983,7 +3986,7 @@ func TestUpdateRevisionForPaths(t *testing.T) { }(), args: args{ ctx: t.Context(), request: &apiclient.UpdateRevisionForPathsRequest{ - Repo: &v1alpha1.Repository{Repo: "a-url.com"}, + Repo: &v1alpha1.Repository{Repo: "a-url.com", Type: "git"}, Revision: "HEAD", SyncedRevision: "SYNCEDHEAD", Paths: []string{"."}, @@ -4016,11 +4019,10 @@ func TestUpdateRevisionForPaths(t *testing.T) { }(), args: args{ ctx: t.Context(), request: &apiclient.UpdateRevisionForPathsRequest{ - Repo: &v1alpha1.Repository{Repo: "a-url.com"}, - Revision: "HEAD", - SyncedRevision: "SYNCEDHEAD", - Paths: []string{"."}, - + Repo: &v1alpha1.Repository{Repo: "a-url.com", Type: "git"}, + Revision: "HEAD", + SyncedRevision: "SYNCEDHEAD", + Paths: []string{"."}, AppLabelKey: "app.kubernetes.io/name", AppName: "no-change-update-cache", Namespace: "default", @@ -4029,7 +4031,8 @@ func TestUpdateRevisionForPaths(t *testing.T) { KubeVersion: "v1.16.0", }, }, want: &apiclient.UpdateRevisionForPathsResponse{ - Revision: "632039659e542ed7de0c170a4fcc1c571b288fc0", + Revision: "632039659e542ed7de0c170a4fcc1c571b288fc0", Changes: true, // FIXME: need to fix changes=true, because now test can't mock Rename cache + }, wantErr: assert.NoError, cacheHit: &cacheHit{ previousRevision: "1e67a504d03def3a6a1125d934cb511680f72555", revision: "632039659e542ed7de0c170a4fcc1c571b288fc0", @@ -4057,11 +4060,10 @@ func TestUpdateRevisionForPaths(t *testing.T) { }(), args: args{ ctx: t.Context(), request: &apiclient.UpdateRevisionForPathsRequest{ - Repo: &v1alpha1.Repository{Repo: "a-url.com"}, - Revision: "HEAD", - SyncedRevision: "SYNCEDHEAD", - Paths: []string{"."}, - + Repo: &v1alpha1.Repository{Repo: "a-url.com", Type: "git"}, + Revision: "HEAD", + SyncedRevision: "SYNCEDHEAD", + Paths: []string{"."}, AppLabelKey: "app.kubernetes.io/name", AppName: "no-change-update-cache", Namespace: "default", @@ -4072,11 +4074,217 @@ func TestUpdateRevisionForPaths(t *testing.T) { HasMultipleSources: true, }, }, want: &apiclient.UpdateRevisionForPathsResponse{ - Revision: "632039659e542ed7de0c170a4fcc1c571b288fc0", + Revision: "632039659e542ed7de0c170a4fcc1c571b288fc0", Changes: true, // FIXME: need to fix changes=true, because now test can't mock Rename cache }, wantErr: assert.NoError, cacheHit: &cacheHit{ previousRevision: "1e67a504d03def3a6a1125d934cb511680f72555", revision: "632039659e542ed7de0c170a4fcc1c571b288fc0", }}, + {name: "NoChangesHelmWithRefMultiSourceUpdateCache", fields: func() fields { + s, _, c := newServiceWithOpt(t, func(gitClient *gitmocks.Client, _ *helmmocks.Client, _ *ocimocks.Client, paths *iomocks.TempPaths) { + gitClient.EXPECT().Init().Return(nil) + gitClient.EXPECT().IsRevisionPresent("632039659e542ed7de0c170a4fcc1c571b288fc0").Once().Return(false) + gitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Once().Return(nil) + gitClient.EXPECT().Checkout(mock.Anything, mock.Anything).Return("", nil) + // fetch + gitClient.EXPECT().IsRevisionPresent("1e67a504d03def3a6a1125d934cb511680f72555").Once().Return(true) + gitClient.EXPECT().IsRevisionPresent("732039659e542ed7de0c170a4fcc1c571b288fc1").Once().Return(true) + gitClient.EXPECT().IsRevisionPresent("2e67a504d03def3a6a1125d934cb511680f72554").Once().Return(true) + gitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Once().Return(nil) + gitClient.EXPECT().LsRemote("HEAD").Once().Return("632039659e542ed7de0c170a4fcc1c571b288fc0", nil) + gitClient.EXPECT().LsRemote("SYNCEDHEAD").Once().Return("1e67a504d03def3a6a1125d934cb511680f72555", nil) + gitClient.EXPECT().LsRemote("HEAD-1").Once().Return("732039659e542ed7de0c170a4fcc1c571b288fc1", nil) + gitClient.EXPECT().LsRemote("SYNCEDHEAD-1").Once().Return("2e67a504d03def3a6a1125d934cb511680f72554", nil) + paths.EXPECT().GetPath(mock.Anything).Return(".", nil) + paths.EXPECT().GetPathIfExists(mock.Anything).Return(".") + gitClient.EXPECT().Root().Return("") + gitClient.EXPECT().ChangedFiles(mock.Anything, mock.Anything).Return([]string{}, nil) + }, ".") + return fields{ + service: s, + cache: c, + } + }(), args: args{ + ctx: t.Context(), + request: &apiclient.UpdateRevisionForPathsRequest{ + Repo: &v1alpha1.Repository{Repo: "url.com", Type: "helm"}, + RefSources: v1alpha1.RefTargetRevisionMapping{ + "$values": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "HEAD"}, + "$values_2": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "HEAD-1"}, + }, + SyncedRefSources: v1alpha1.RefTargetRevisionMapping{ + "$values": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "SYNCEDHEAD"}, + "$values_2": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "SYNCEDHEAD-1"}, + }, + Revision: "0.0.1", + SyncedRevision: "0.0.1", + Paths: []string{"."}, + AppLabelKey: "app.kubernetes.io/name", + AppName: "no-change-update-cache", + Namespace: "default", + TrackingMethod: "annotation+label", + ApplicationSource: &v1alpha1.ApplicationSource{Path: ".", Helm: &v1alpha1.ApplicationSourceHelm{ReleaseName: "test", ValueFiles: []string{"$values/path", "$values_2/path"}}}, + KubeVersion: "v1.16.0", + HasMultipleSources: true, + }, + }, want: &apiclient.UpdateRevisionForPathsResponse{ + Revision: "0.0.1", Changes: true, // FIXME: need to fix changes=true, because now test can't mock Rename cache + }, wantErr: assert.NoError, cacheHit: &cacheHit{ + previousRevision: "0.0.1", + revision: "0.0.1", + }}, + {name: "NoChangesHelmWithRefMultiSource_IgnoreUnusedRef", fields: func() fields { + s, _, c := newServiceWithOpt(t, func(gitClient *gitmocks.Client, _ *helmmocks.Client, _ *ocimocks.Client, paths *iomocks.TempPaths) { + gitClient.EXPECT().Init().Return(nil) + gitClient.EXPECT().IsRevisionPresent("632039659e542ed7de0c170a4fcc1c571b288fc0").Once().Return(false) + gitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Once().Return(nil) + gitClient.EXPECT().Checkout(mock.Anything, mock.Anything).Return("", nil) + // fetch + gitClient.EXPECT().IsRevisionPresent("1e67a504d03def3a6a1125d934cb511680f72555").Once().Return(true) + gitClient.EXPECT().IsRevisionPresent("732039659e542ed7de0c170a4fcc1c571b288fc1").Once().Return(true) + gitClient.EXPECT().IsRevisionPresent("2e67a504d03def3a6a1125d934cb511680f72554").Once().Return(true) + gitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Once().Return(nil) + gitClient.EXPECT().LsRemote("HEAD").Once().Return("632039659e542ed7de0c170a4fcc1c571b288fc0", nil) + gitClient.EXPECT().LsRemote("SYNCEDHEAD").Once().Return("1e67a504d03def3a6a1125d934cb511680f72555", nil) + paths.EXPECT().GetPath(mock.Anything).Return(".", nil) + paths.EXPECT().GetPathIfExists(mock.Anything).Return(".") + gitClient.EXPECT().Root().Return("") + gitClient.EXPECT().ChangedFiles(mock.Anything, mock.Anything).Return([]string{}, nil) + }, ".") + return fields{ + service: s, + cache: c, + } + }(), args: args{ + ctx: t.Context(), + request: &apiclient.UpdateRevisionForPathsRequest{ + Repo: &v1alpha1.Repository{Repo: "url.com", Type: "helm"}, + RefSources: v1alpha1.RefTargetRevisionMapping{ + "$values": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "HEAD"}, + "$values_2": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "HEAD-1"}, + }, + SyncedRefSources: v1alpha1.RefTargetRevisionMapping{ + "$values": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "SYNCEDHEAD"}, + "$values_2": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "SYNCEDHEAD-1"}, + }, + Revision: "0.0.1", + SyncedRevision: "0.0.1", + Paths: []string{"."}, + AppLabelKey: "app.kubernetes.io/name", + AppName: "no-change-update-cache", + Namespace: "default", + TrackingMethod: "annotation+label", + ApplicationSource: &v1alpha1.ApplicationSource{Path: ".", Helm: &v1alpha1.ApplicationSourceHelm{ReleaseName: "test", ValueFiles: []string{"$values/path"}}}, + KubeVersion: "v1.16.0", + HasMultipleSources: true, + }, + }, want: &apiclient.UpdateRevisionForPathsResponse{ + Revision: "0.0.1", Changes: true, // FIXME: need to fix changes=true, because now test can't mock Rename cache + }, wantErr: assert.NoError, cacheHit: &cacheHit{ + previousRevision: "0.0.1", + revision: "0.0.1", + }}, + {name: "NoChangesHelmWithRefMultiSource_UndefinedRef", fields: func() fields { + s, _, c := newServiceWithOpt(t, func(gitClient *gitmocks.Client, _ *helmmocks.Client, _ *ocimocks.Client, paths *iomocks.TempPaths) { + gitClient.EXPECT().Init().Return(nil) + gitClient.EXPECT().IsRevisionPresent("632039659e542ed7de0c170a4fcc1c571b288fc0").Once().Return(false) + gitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Once().Return(nil) + gitClient.EXPECT().Checkout(mock.Anything, mock.Anything).Return("", nil) + // fetch + gitClient.EXPECT().IsRevisionPresent("1e67a504d03def3a6a1125d934cb511680f72555").Once().Return(true) + gitClient.EXPECT().IsRevisionPresent("732039659e542ed7de0c170a4fcc1c571b288fc1").Once().Return(true) + gitClient.EXPECT().IsRevisionPresent("2e67a504d03def3a6a1125d934cb511680f72554").Once().Return(true) + gitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Once().Return(nil) + gitClient.EXPECT().LsRemote("HEAD").Once().Return("632039659e542ed7de0c170a4fcc1c571b288fc0", nil) + gitClient.EXPECT().LsRemote("SYNCEDHEAD").Once().Return("1e67a504d03def3a6a1125d934cb511680f72555", nil) + paths.EXPECT().GetPath(mock.Anything).Return(".", nil) + paths.EXPECT().GetPathIfExists(mock.Anything).Return(".") + gitClient.EXPECT().Root().Return("") + gitClient.EXPECT().ChangedFiles(mock.Anything, mock.Anything).Return([]string{}, nil) + }, ".") + return fields{ + service: s, + cache: c, + } + }(), args: args{ + ctx: t.Context(), + request: &apiclient.UpdateRevisionForPathsRequest{ + Repo: &v1alpha1.Repository{Repo: "url.com", Type: "helm"}, + RefSources: v1alpha1.RefTargetRevisionMapping{ + "$values": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "HEAD"}, + "$values_2": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "HEAD-1"}, + }, + SyncedRefSources: v1alpha1.RefTargetRevisionMapping{ + "$values": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "SYNCEDHEAD"}, + "$values_2": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "SYNCEDHEAD-1"}, + }, + Revision: "0.0.1", + SyncedRevision: "0.0.1", + Paths: []string{"."}, + AppLabelKey: "app.kubernetes.io/name", + AppName: "no-change-update-cache", + Namespace: "default", + TrackingMethod: "annotation+label", + ApplicationSource: &v1alpha1.ApplicationSource{Path: ".", Helm: &v1alpha1.ApplicationSourceHelm{ReleaseName: "test", ValueFiles: []string{"$values_3/path"}}}, + KubeVersion: "v1.16.0", + HasMultipleSources: true, + }, + }, want: &apiclient.UpdateRevisionForPathsResponse{ + Revision: "0.0.1", Changes: true, + }, wantErr: assert.Error, cacheHit: nil}, + {name: "IgnoreRefSourcesForGitSource", fields: func() fields { + s, _, c := newServiceWithOpt(t, func(gitClient *gitmocks.Client, _ *helmmocks.Client, _ *ocimocks.Client, paths *iomocks.TempPaths) { + gitClient.EXPECT().Init().Return(nil) + gitClient.EXPECT().IsRevisionPresent("632039659e542ed7de0c170a4fcc1c571b288fc0").Once().Return(false) + gitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Once().Return(nil) + gitClient.EXPECT().Checkout(mock.Anything, mock.Anything).Return("", nil) + // fetch + gitClient.EXPECT().IsRevisionPresent("1e67a504d03def3a6a1125d934cb511680f72555").Once().Return(true) + gitClient.EXPECT().IsRevisionPresent("732039659e542ed7de0c170a4fcc1c571b288fc1").Once().Return(true) + gitClient.EXPECT().IsRevisionPresent("2e67a504d03def3a6a1125d934cb511680f72554").Once().Return(true) + gitClient.EXPECT().Fetch(mock.Anything, mock.Anything).Once().Return(nil) + gitClient.EXPECT().LsRemote("HEAD").Once().Return("632039659e542ed7de0c170a4fcc1c571b288fc0", nil) + gitClient.EXPECT().LsRemote("SYNCEDHEAD").Once().Return("1e67a504d03def3a6a1125d934cb511680f72555", nil) + paths.EXPECT().GetPath(mock.Anything).Return(".", nil) + paths.EXPECT().GetPathIfExists(mock.Anything).Return(".") + gitClient.EXPECT().Root().Return("") + gitClient.EXPECT().ChangedFiles(mock.Anything, mock.Anything).Return([]string{}, nil) + }, ".") + return fields{ + service: s, + cache: c, + } + }(), args: args{ + ctx: t.Context(), + request: &apiclient.UpdateRevisionForPathsRequest{ + Repo: &v1alpha1.Repository{Repo: "https://github.com", Type: "git"}, + RefSources: v1alpha1.RefTargetRevisionMapping{ + "$values_2": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "HEAD-1"}, + }, + SyncedRefSources: v1alpha1.RefTargetRevisionMapping{ + "$values_2": {Repo: v1alpha1.Repository{Repo: "a-url.com"}, Chart: "test", TargetRevision: "SYNCEDHEAD-1"}, + }, + Revision: "HEAD", + SyncedRevision: "SYNCEDHEAD", + Paths: []string{"."}, + AppLabelKey: "app.kubernetes.io/name", + AppName: "no-change-update-cache", + Namespace: "default", + TrackingMethod: "annotation+label", + ApplicationSource: &v1alpha1.ApplicationSource{ + Path: ".", + Helm: &v1alpha1.ApplicationSourceHelm{ReleaseName: "test", ValueFiles: []string{"path"}}, + RepoURL: "https://github.com", + TargetRevision: "HEAD", + }, + KubeVersion: "v1.16.0", + HasMultipleSources: true, + }, + }, want: &apiclient.UpdateRevisionForPathsResponse{ + Revision: "632039659e542ed7de0c170a4fcc1c571b288fc0", Changes: true, // FIXME: need to fix changes=true, because now test can't mock Rename cache + }, wantErr: assert.NoError, cacheHit: &cacheHit{ + previousRevision: "632039659e542ed7de0c170a4fcc1c571b288fc0", + revision: "1e67a504d03def3a6a1125d934cb511680f72555", + }}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { @@ -4129,10 +4337,8 @@ func TestGetRefs_CacheWithLockDisabled(t *testing.T) { t.Cleanup(cacheMocks.mockCache.StopRedisCallback) var wg sync.WaitGroup numberOfCallers := 10 - for i := 0; i < numberOfCallers; i++ { - wg.Add(1) - go func() { - defer wg.Done() + for range numberOfCallers { + wg.Go(func() { client, err := git.NewClient("file://"+dir, git.NopCreds{}, true, false, "", "", git.WithCache(cacheMocks.cache, true)) require.NoError(t, err) refs, err := client.LsRefs() @@ -4140,7 +4346,7 @@ func TestGetRefs_CacheWithLockDisabled(t *testing.T) { assert.NotNil(t, refs) assert.NotEmpty(t, refs.Branches, "Expected branches to be populated") assert.NotEmpty(t, refs.Branches[0]) - }() + }) } wg.Wait() // Unlock should not have been called @@ -4185,10 +4391,8 @@ func TestGetRefs_CacheWithLock(t *testing.T) { t.Cleanup(cacheMocks.mockCache.StopRedisCallback) var wg sync.WaitGroup numberOfCallers := 10 - for i := 0; i < numberOfCallers; i++ { - wg.Add(1) - go func() { - defer wg.Done() + for range numberOfCallers { + wg.Go(func() { client, err := git.NewClient("file://"+dir, git.NopCreds{}, true, false, "", "", git.WithCache(cacheMocks.cache, true)) require.NoError(t, err) refs, err := client.LsRefs() @@ -4196,7 +4400,7 @@ func TestGetRefs_CacheWithLock(t *testing.T) { assert.NotNil(t, refs) assert.NotEmpty(t, refs.Branches, "Expected branches to be populated") assert.NotEmpty(t, refs.Branches[0]) - }() + }) } wg.Wait() // Unlock should not have been called diff --git a/reposerver/repository/utils.go b/reposerver/repository/utils.go index 9dc45f2b85..08148aec0e 100644 --- a/reposerver/repository/utils.go +++ b/reposerver/repository/utils.go @@ -36,7 +36,7 @@ func getApplicationRootPath(q *apiclient.ManifestRequest, appPath, repoPath stri }(len(commonParts), len(parts)) // check if diverge /disjoint in some point - for i := 0; i < minLen; i++ { + for i := range minLen { if commonParts[i] != parts[i] { commonParts = commonParts[:i] disjoint = true @@ -55,7 +55,7 @@ func getApplicationRootPath(q *apiclient.ManifestRequest, appPath, repoPath stri // getPaths retrieves all absolute paths associated with the generation of application manifests. func getPaths(q *apiclient.ManifestRequest, appPath, repoPath string) []string { var paths []string - for _, annotationPath := range strings.Split(q.AnnotationManifestGeneratePaths, ";") { + for annotationPath := range strings.SplitSeq(q.AnnotationManifestGeneratePaths, ";") { if annotationPath == "" { continue } diff --git a/reposerver/repository/utils_test.go b/reposerver/repository/utils_test.go index 1664adf02d..36712598cc 100644 --- a/reposerver/repository/utils_test.go +++ b/reposerver/repository/utils_test.go @@ -34,7 +34,6 @@ func TestGetCommonRootPath(t *testing.T) { } for _, tt := range tests { - tt := tt t.Run(tt.name, func(t *testing.T) { t.Parallel() diff --git a/resource_customizations/_.cnrm.cloud.google.com/_/health.lua b/resource_customizations/_.cnrm.cloud.google.com/_/health.lua index cf5cf2ba23..0e89eea981 100644 --- a/resource_customizations/_.cnrm.cloud.google.com/_/health.lua +++ b/resource_customizations/_.cnrm.cloud.google.com/_/health.lua @@ -3,6 +3,22 @@ local hs = { message = "Update in progress" } if obj.status ~= nil then + -- ConfigConnector and ConfigConnectorContext use status.healthy instead of conditions + if (obj.kind == "ConfigConnector" or obj.kind == "ConfigConnectorContext") and obj.status.healthy ~= nil then + -- Check if status is stale + if obj.status.observedGeneration == nil or obj.status.observedGeneration == obj.metadata.generation then + if obj.status.healthy == true then + hs.status = "Healthy" + hs.message = obj.kind .. " is healthy" + return hs + else + hs.status = "Degraded" + hs.message = obj.kind .. " is not healthy" + return hs + end + end + end + if obj.status.conditions ~= nil then -- Progressing health while the resource status is stale, skip if observedGeneration is not set diff --git a/resource_customizations/_.cnrm.cloud.google.com/_/health_test.yaml b/resource_customizations/_.cnrm.cloud.google.com/_/health_test.yaml index 982aae23f0..a63e6bdbed 100644 --- a/resource_customizations/_.cnrm.cloud.google.com/_/health_test.yaml +++ b/resource_customizations/_.cnrm.cloud.google.com/_/health_test.yaml @@ -22,4 +22,24 @@ tests: - healthStatus: status: Progressing message: 'Update in progress' - inputPath: testdata/generation.yaml \ No newline at end of file + inputPath: testdata/generation.yaml +- healthStatus: + status: Healthy + message: "ConfigConnectorContext is healthy" + inputPath: testdata/config-connector-context.yaml +- healthStatus: + status: Degraded + message: "ConfigConnectorContext is not healthy" + inputPath: testdata/config-connector-context-unhealthy.yaml +- healthStatus: + status: Healthy + message: "ConfigConnector is healthy" + inputPath: testdata/config-connector-healthy.yaml +- healthStatus: + status: Degraded + message: "ConfigConnector is not healthy" + inputPath: testdata/config-connector-unhealthy.yaml +- healthStatus: + status: Progressing + message: "Update in progress" + inputPath: testdata/config-connector-stale.yaml diff --git a/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-context-unhealthy.yaml b/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-context-unhealthy.yaml new file mode 100644 index 0000000000..92b8929f7e --- /dev/null +++ b/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-context-unhealthy.yaml @@ -0,0 +1,11 @@ +apiVersion: core.cnrm.cloud.google.com/v1beta1 +kind: ConfigConnectorContext +metadata: + generation: 1 + name: configconnectorcontext.core.cnrm.cloud.google.com + namespace: foo +spec: + googleServiceAccount: foo@bar.iam.gserviceaccount.com +status: + healthy: false + observedGeneration: 1 diff --git a/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-context.yaml b/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-context.yaml new file mode 100644 index 0000000000..6e63298a9c --- /dev/null +++ b/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-context.yaml @@ -0,0 +1,11 @@ +apiVersion: core.cnrm.cloud.google.com/v1beta1 +kind: ConfigConnectorContext +metadata: + generation: 1 + name: configconnectorcontext.core.cnrm.cloud.google.com + namespace: foo +spec: + googleServiceAccount: foo@bar.iam.gserviceaccount.com +status: + healthy: true + observedGeneration: 1 diff --git a/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-healthy.yaml b/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-healthy.yaml new file mode 100644 index 0000000000..5095fac9dd --- /dev/null +++ b/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-healthy.yaml @@ -0,0 +1,12 @@ +apiVersion: core.cnrm.cloud.google.com/v1beta1 +kind: ConfigConnector +metadata: + finalizers: + - configconnector.cnrm.cloud.google.com/finalizer + generation: 2 + name: configconnector.core.cnrm.cloud.google.com +spec: + mode: namespaced +status: + healthy: true + observedGeneration: 2 diff --git a/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-stale.yaml b/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-stale.yaml new file mode 100644 index 0000000000..0b7ba3cd5a --- /dev/null +++ b/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-stale.yaml @@ -0,0 +1,12 @@ +apiVersion: core.cnrm.cloud.google.com/v1beta1 +kind: ConfigConnector +metadata: + finalizers: + - configconnector.cnrm.cloud.google.com/finalizer + generation: 3 + name: configconnector.core.cnrm.cloud.google.com +spec: + mode: namespaced +status: + healthy: true + observedGeneration: 2 diff --git a/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-unhealthy.yaml b/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-unhealthy.yaml new file mode 100644 index 0000000000..33eb5d8553 --- /dev/null +++ b/resource_customizations/_.cnrm.cloud.google.com/_/testdata/config-connector-unhealthy.yaml @@ -0,0 +1,12 @@ +apiVersion: core.cnrm.cloud.google.com/v1beta1 +kind: ConfigConnector +metadata: + finalizers: + - configconnector.cnrm.cloud.google.com/finalizer + generation: 2 + name: configconnector.core.cnrm.cloud.google.com +spec: + mode: namespaced +status: + healthy: false + observedGeneration: 2 diff --git a/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/health.lua b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/health.lua new file mode 100644 index 0000000000..b59fccc941 --- /dev/null +++ b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/health.lua @@ -0,0 +1,59 @@ +-- NodeNetworkConfigurationPolicy (NNCP) is a cluster-scoped resource that defines +-- the desired network configuration for nodes in a Kubernetes cluster. +-- +-- Documentation: +-- User guide (configuration & conditions): https://github.com/nmstate/kubernetes-nmstate/blob/main/docs/user-guide/102-configuration.md +-- Troubleshooting (failure states): https://github.com/nmstate/kubernetes-nmstate/blob/main/docs/user-guide/103-troubleshooting.md +-- +-- Condition types and reasons are defined in: +-- https://github.com/nmstate/kubernetes-nmstate/blob/main/api/shared/nodenetworkconfigurationpolicy_types.go +-- +-- NNCP exposes three active condition types: +-- Available (True) - All matched nodes successfully configured (SuccessfullyConfigured) +-- Degraded (True) - One or more nodes failed to configure (FailedToConfigure) +-- Progressing (True) - Configuration is being applied across nodes (ConfigurationProgressing) +-- Ignored (True) - Policy matches no nodes (NoMatchingNode) +-- +-- ArgoCD health mapping: +-- Available=True => Healthy +-- Degraded=True => Degraded +-- Progressing=True => Progressing +-- Ignored=True => Suspended (policy intentionally matches no nodes) +-- No status yet => Progressing +local hs = {} +if obj.status ~= nil then + if obj.status.conditions ~= nil then + for i, condition in ipairs(obj.status.conditions) do + if condition.status == "True" then + local msg = condition.reason + if condition.message ~= nil and condition.message ~= "" then + msg = condition.reason .. ": " .. condition.message + end + if condition.type == "Available" then + hs.status = "Healthy" + hs.message = msg + return hs + end + if condition.type == "Degraded" then + hs.status = "Degraded" + hs.message = msg + return hs + end + if condition.type == "Progressing" then + hs.status = "Progressing" + hs.message = msg + return hs + end + if condition.type == "Ignored" then + hs.status = "Suspended" + hs.message = msg + return hs + end + end + end + end +end + +hs.status = "Progressing" +hs.message = "Waiting for policy to be applied" +return hs diff --git a/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/health_test.yaml b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/health_test.yaml new file mode 100644 index 0000000000..c067297903 --- /dev/null +++ b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/health_test.yaml @@ -0,0 +1,21 @@ +tests: +- healthStatus: + status: Progressing + message: Waiting for policy to be applied + inputPath: testdata/progressing_noStatus.yaml +- healthStatus: + status: Progressing + message: "ConfigurationProgressing: Policy is progressing 0/1 nodes finished" + inputPath: testdata/progressing_configuring.yaml +- healthStatus: + status: Healthy + message: "SuccessfullyConfigured: 1/1 nodes successfully configured" + inputPath: testdata/healthy_configured.yaml +- healthStatus: + status: Degraded + message: "FailedToConfigure: 1/1 nodes failed to configure" + inputPath: testdata/degraded_failedToConfigure.yaml +- healthStatus: + status: Suspended + message: NoMatchingNode + inputPath: testdata/suspended_noMatchingNode.yaml diff --git a/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/degraded_failedToConfigure.yaml b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/degraded_failedToConfigure.yaml new file mode 100644 index 0000000000..c76f0b93f9 --- /dev/null +++ b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/degraded_failedToConfigure.yaml @@ -0,0 +1,30 @@ +apiVersion: nmstate.io/v1 +kind: NodeNetworkConfigurationPolicy +metadata: + name: test-node-network-configuration-policy +spec: + nodeSelector: + kubernetes.io/hostname: node1 + desiredState: + interfaces: + - name: eth1 + type: ethernet + state: up +status: + conditions: + - lastHeartbeatTime: '2026-02-11T12:28:37Z' + lastTransitionTime: '2026-02-11T12:28:37Z' + reason: FailedToConfigure + status: 'False' + type: Available + - lastHeartbeatTime: '2026-02-11T12:28:37Z' + lastTransitionTime: '2026-02-11T12:28:37Z' + message: 1/1 nodes failed to configure + reason: FailedToConfigure + status: 'True' + type: Degraded + - lastHeartbeatTime: '2026-02-11T12:28:37Z' + lastTransitionTime: '2026-02-11T12:28:37Z' + reason: ConfigurationProgressing + status: 'False' + type: Progressing diff --git a/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/healthy_configured.yaml b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/healthy_configured.yaml new file mode 100644 index 0000000000..5af640ef88 --- /dev/null +++ b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/healthy_configured.yaml @@ -0,0 +1,30 @@ +apiVersion: nmstate.io/v1 +kind: NodeNetworkConfigurationPolicy +metadata: + name: test-node-network-configuration-policy +spec: + nodeSelector: + kubernetes.io/hostname: node1 + desiredState: + interfaces: + - name: eth1 + type: ethernet + state: up +status: + conditions: + - lastHeartbeatTime: '2026-02-18T13:41:43Z' + lastTransitionTime: '2026-02-18T13:41:43Z' + message: 1/1 nodes successfully configured + reason: SuccessfullyConfigured + status: 'True' + type: Available + - lastHeartbeatTime: '2026-02-18T13:41:43Z' + lastTransitionTime: '2026-02-18T13:41:43Z' + reason: SuccessfullyConfigured + status: 'False' + type: Degraded + - lastHeartbeatTime: '2026-02-18T13:41:43Z' + lastTransitionTime: '2026-02-18T13:41:43Z' + reason: ConfigurationProgressing + status: 'False' + type: Progressing diff --git a/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/progressing_configuring.yaml b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/progressing_configuring.yaml new file mode 100644 index 0000000000..986c1f82a5 --- /dev/null +++ b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/progressing_configuring.yaml @@ -0,0 +1,30 @@ +apiVersion: nmstate.io/v1 +kind: NodeNetworkConfigurationPolicy +metadata: + name: test-node-network-configuration-policy +spec: + nodeSelector: + kubernetes.io/hostname: node1 + desiredState: + interfaces: + - name: eth1 + type: ethernet + state: up +status: + conditions: + - lastHeartbeatTime: '2026-02-18T14:16:33Z' + lastTransitionTime: '2026-02-18T14:16:33Z' + reason: ConfigurationProgressing + status: Unknown + type: Available + - lastHeartbeatTime: '2026-02-18T14:16:33Z' + lastTransitionTime: '2026-02-18T14:16:33Z' + reason: ConfigurationProgressing + status: Unknown + type: Degraded + - lastHeartbeatTime: '2026-02-18T14:16:33Z' + lastTransitionTime: '2026-02-18T14:16:33Z' + message: Policy is progressing 0/1 nodes finished + reason: ConfigurationProgressing + status: 'True' + type: Progressing diff --git a/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/progressing_noStatus.yaml b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/progressing_noStatus.yaml new file mode 100644 index 0000000000..3bb421de45 --- /dev/null +++ b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/progressing_noStatus.yaml @@ -0,0 +1,12 @@ +apiVersion: nmstate.io/v1 +kind: NodeNetworkConfigurationPolicy +metadata: + name: test-node-network-configuration-policy +spec: + nodeSelector: + kubernetes.io/hostname: node1 + desiredState: + interfaces: + - name: eth1 + type: ethernet + state: up diff --git a/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/suspended_noMatchingNode.yaml b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/suspended_noMatchingNode.yaml new file mode 100644 index 0000000000..e900c2dfdb --- /dev/null +++ b/resource_customizations/nmstate.io/NodeNetworkConfigurationPolicy/testdata/suspended_noMatchingNode.yaml @@ -0,0 +1,34 @@ +apiVersion: nmstate.io/v1 +kind: NodeNetworkConfigurationPolicy +metadata: + name: test-node-network-configuration-policy +spec: + nodeSelector: + kubernetes.io/hostname: node1 + desiredState: + interfaces: + - name: eth1 + type: ethernet + state: up +status: + conditions: + - lastHeartbeatTime: '2026-02-18T14:16:33Z' + lastTransitionTime: '2026-02-18T14:16:33Z' + reason: NoMatchingNode + status: 'False' + type: Available + - lastHeartbeatTime: '2026-02-18T14:16:33Z' + lastTransitionTime: '2026-02-18T14:16:33Z' + reason: NoMatchingNode + status: 'False' + type: Degraded + - lastHeartbeatTime: '2026-02-18T14:16:33Z' + lastTransitionTime: '2026-02-18T14:16:33Z' + reason: NoMatchingNode + status: 'False' + type: Progressing + - lastHeartbeatTime: '2026-02-18T14:16:33Z' + lastTransitionTime: '2026-02-18T14:16:33Z' + reason: NoMatchingNode + status: 'True' + type: Ignored diff --git a/resource_customizations/projectcontour.io/HTTPProxy/health.lua b/resource_customizations/projectcontour.io/HTTPProxy/health.lua index 0fd1a15115..3f57e9a908 100644 --- a/resource_customizations/projectcontour.io/HTTPProxy/health.lua +++ b/resource_customizations/projectcontour.io/HTTPProxy/health.lua @@ -15,6 +15,9 @@ if obj.status then hs.status = "Healthy" hs.message = obj.status.description return hs + elseif obj.spec.includes ~= nil and cond.status == "False" then + hs.status = "Healthy" + hs.message = "HTTPProxy inclusions cannot be health checked" -- Parent/child pairs depend on each other circularly. This means that, without this check here, we block deployments. Either we flag orphans as valid/unknown, risking a successful deploy followed by subsequent failures once adopted, or we mark proxies with inclusions (parents) as healthy. elseif cond.type == "Valid" and cond.status == "False" then hs.status = "Degraded" hs.message = obj.status.description diff --git a/resource_customizations/projectcontour.io/HTTPProxy/health_test.yaml b/resource_customizations/projectcontour.io/HTTPProxy/health_test.yaml index 7930f9437c..56ea27219c 100644 --- a/resource_customizations/projectcontour.io/HTTPProxy/health_test.yaml +++ b/resource_customizations/projectcontour.io/HTTPProxy/health_test.yaml @@ -18,4 +18,8 @@ tests: - healthStatus: status: Progressing message: 'Waiting for status' - inputPath: testdata/generation.yaml \ No newline at end of file + inputPath: testdata/generation.yaml +- healthStatus: + status: Healthy + message: 'HTTPProxy inclusions cannot be health checked' + inputPath: testdata/parent_child.yaml diff --git a/resource_customizations/projectcontour.io/HTTPProxy/testdata/parent_child.yaml b/resource_customizations/projectcontour.io/HTTPProxy/testdata/parent_child.yaml new file mode 100644 index 0000000000..f0dcdddcb8 --- /dev/null +++ b/resource_customizations/projectcontour.io/HTTPProxy/testdata/parent_child.yaml @@ -0,0 +1,28 @@ +apiVersion: projectcontour.io/v1 +kind: HTTPProxy +metadata: + generation: 1 + name: basic +spec: + virtualhost: + fqdn: foo-basic.bar.com + includes: + - name: unimportant +status: + conditions: + - errors: + - message: include unimportant not found + reason: IncludeNotFound + status: "True" + type: IncludeError + type: Valid + status: "False" + observedGeneration: 1 + lastTransitionTime: "2025-04-07T10:00:00Z" + reason: ErrorPresent + message: At least one error present, see Errors for details + currentStatus: invalid + description: At least one error present, see Errors for details + loadBalancer: + ingress: + - hostname: www.example.com diff --git a/server/application/application.go b/server/application/application.go index 9d5e96c1aa..19a83f66b9 100644 --- a/server/application/application.go +++ b/server/application/application.go @@ -5,6 +5,7 @@ import ( "encoding/json" "errors" "fmt" + "maps" "math" "reflect" "slices" @@ -15,12 +16,12 @@ import ( cacheutil "github.com/argoproj/argo-cd/v3/util/cache" - kubecache "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/text" + kubecache "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/text" "github.com/argoproj/pkg/v2/sync" jsonpatch "github.com/evanphx/json-patch" log "github.com/sirupsen/logrus" @@ -63,7 +64,7 @@ import ( "github.com/argoproj/argo-cd/v3/util/session" "github.com/argoproj/argo-cd/v3/util/settings" - resourceutil "github.com/argoproj/gitops-engine/pkg/sync/resource" + resourceutil "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/resource" applicationType "github.com/argoproj/argo-cd/v3/pkg/apis/application" argodiff "github.com/argoproj/argo-cd/v3/util/argo/diff" @@ -990,7 +991,7 @@ func (s *Server) waitSync(app *v1alpha1.Application) { } func (s *Server) updateApp(ctx context.Context, app *v1alpha1.Application, newApp *v1alpha1.Application, merge bool) (*v1alpha1.Application, error) { - for i := 0; i < 10; i++ { + for range 10 { app.Spec = newApp.Spec if merge { app.Labels = collections.Merge(app.Labels, newApp.Labels) @@ -1771,8 +1772,7 @@ func (s *Server) ManagedResources(ctx context.Context, q *application.ResourcesQ return s.cache.GetAppManagedResources(a.InstanceName(s.ns), &items) }) if err != nil { - log.Warnf("error getting cached app managed resources for %s/%s, cache unavailable, returning empty managed resources: %v", a.Namespace, a.Name, err) - return &application.ManagedResourcesResponse{Items: []*v1alpha1.ResourceDiff{}}, nil + return nil, fmt.Errorf("error getting cached app managed resources: %w", err) } res := &application.ManagedResourcesResponse{} for i := range items { @@ -2439,7 +2439,7 @@ func (s *Server) TerminateOperation(ctx context.Context, termOpReq *application. return nil, err } - for i := 0; i < 10; i++ { + for range 10 { if a.Operation == nil || a.Status.OperationState == nil { return nil, status.Errorf(codes.InvalidArgument, "Unable to terminate operation. No operation is in progress") } @@ -2917,9 +2917,7 @@ func (s *Server) ServerSideDiff(ctx context.Context, q *application.ApplicationS // Convert to map format expected by DiffConfigBuilder overrides := make(map[string]v1alpha1.ResourceOverride) - for k, v := range resourceOverrides { - overrides[k] = v - } + maps.Copy(overrides, resourceOverrides) // Get cluster connection for server-side dry run cluster, err := argo.GetDestinationCluster(ctx, a.Spec.Destination, s.db) diff --git a/server/application/application_test.go b/server/application/application_test.go index a09f7f37bb..4d940ac4c5 100644 --- a/server/application/application_test.go +++ b/server/application/application_test.go @@ -14,10 +14,10 @@ import ( "k8s.io/apimachinery/pkg/labels" - "github.com/argoproj/gitops-engine/pkg/health" - synccommon "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + synccommon "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/kubetest" "github.com/argoproj/pkg/v2/sync" "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" @@ -1004,7 +1004,7 @@ func TestNoAppEnumeration(t *testing.T) { assert.EqualError(t, err, "rpc error: code = NotFound desc = applications.argoproj.io \"doest-not-exist\" not found", "when the request specifies a project, we can return the standard k8s error message") }) - //nolint:staticcheck,SA1019 // RunResourceAction is deprecated, but we still need to support it for backward compatibility. + //nolint:staticcheck // SA1019: RunResourceAction is deprecated, but we still need to support it for backward compatibility. t.Run("RunResourceAction", func(t *testing.T) { _, err := appServer.RunResourceAction(adminCtx, &application.ResourceActionRunRequest{Name: ptr.To("test"), ResourceName: ptr.To("test"), Group: ptr.To("apps"), Kind: ptr.To("Deployment"), Namespace: ptr.To("test"), Action: ptr.To("restart")}) require.NoError(t, err) @@ -1327,14 +1327,14 @@ func TestCoupleAppsListApps(t *testing.T) { ctx := t.Context() var groups []string - for i := 0; i < 50; i++ { + for i := range 50 { groups = append(groups, fmt.Sprintf("group-%d", i)) } //nolint:staticcheck ctx = context.WithValue(ctx, "claims", &jwt.MapClaims{"groups": groups}) - for projectId := 0; projectId < 100; projectId++ { + for projectId := range 100 { projectName := fmt.Sprintf("proj-%d", projectId) - for appId := 0; appId < 100; appId++ { + for appId := range 100 { objects = append(objects, newTestApp(func(app *v1alpha1.Application) { app.Name = fmt.Sprintf("app-%d-%d", projectId, appId) app.Spec.Project = projectName @@ -1367,7 +1367,7 @@ g, group-49, role:test3 func generateTestApp(num int) []*v1alpha1.Application { apps := []*v1alpha1.Application{} - for i := 0; i < num; i++ { + for i := range num { apps = append(apps, newTestApp(func(app *v1alpha1.Application) { app.Name = fmt.Sprintf("test-app%.6d", i) })) @@ -1385,8 +1385,7 @@ func BenchmarkListMuchApps(b *testing.B) { } appServer := newTestAppServerWithBenchmark(b, obj...) - b.ResetTimer() - for n := 0; n < b.N; n++ { + for b.Loop() { _, err := appServer.List(b.Context(), &application.ApplicationQuery{}) if err != nil { break @@ -1403,8 +1402,7 @@ func BenchmarkListSomeApps(b *testing.B) { } appServer := newTestAppServerWithBenchmark(b, obj...) - b.ResetTimer() - for n := 0; n < b.N; n++ { + for b.Loop() { _, err := appServer.List(b.Context(), &application.ApplicationQuery{}) if err != nil { break @@ -1421,8 +1419,7 @@ func BenchmarkListFewApps(b *testing.B) { } appServer := newTestAppServerWithBenchmark(b, obj...) - b.ResetTimer() - for n := 0; n < b.N; n++ { + for b.Loop() { _, err := appServer.List(b.Context(), &application.ApplicationQuery{}) if err != nil { break @@ -1443,8 +1440,7 @@ func BenchmarkListMuchAppsWithName(b *testing.B) { } appServer := newTestAppServerWithBenchmark(b, obj...) - b.ResetTimer() - for n := 0; n < b.N; n++ { + for b.Loop() { app := &application.ApplicationQuery{Name: strToPtr("test-app000099")} _, err := appServer.List(b.Context(), app) if err != nil { @@ -1464,8 +1460,7 @@ func BenchmarkListMuchAppsWithProjects(b *testing.B) { } appServer := newTestAppServerWithBenchmark(b, obj...) - b.ResetTimer() - for n := 0; n < b.N; n++ { + for b.Loop() { app := &application.ApplicationQuery{Project: []string{"test-project1", "test-project2"}} _, err := appServer.List(b.Context(), app) if err != nil { @@ -1484,8 +1479,7 @@ func BenchmarkListMuchAppsWithRepo(b *testing.B) { } appServer := newTestAppServerWithBenchmark(b, obj...) - b.ResetTimer() - for n := 0; n < b.N; n++ { + for b.Loop() { app := &application.ApplicationQuery{Repo: strToPtr("https://some-fake-source")} _, err := appServer.List(b.Context(), app) if err != nil { @@ -3133,7 +3127,7 @@ func createAppServerWithMaxLodLogs(t *testing.T, podNumber int, maxPodLogsToRend runtimeObjects := make([]runtime.Object, podNumber+1) resources := make([]v1alpha1.ResourceStatus, podNumber) - for i := 0; i < podNumber; i++ { + for i := range podNumber { pod := corev1.Pod{ TypeMeta: metav1.TypeMeta{ APIVersion: "v1", diff --git a/server/application/logs.go b/server/application/logs.go index b52eef81e2..1fceb27fb7 100644 --- a/server/application/logs.go +++ b/server/application/logs.go @@ -44,7 +44,7 @@ func parseLogsStream(podName string, stream io.ReadCloser, ch chan logEntry) { } lines := strings.Join(parts[1:], " ") - for _, line := range strings.Split(lines, "\r") { + for line := range strings.SplitSeq(lines, "\r") { ch <- logEntry{line: line, timeStamp: logTime, podName: podName} } } diff --git a/server/application/logs_test.go b/server/application/logs_test.go index fad125b33a..7cec1ff31a 100644 --- a/server/application/logs_test.go +++ b/server/application/logs_test.go @@ -78,7 +78,7 @@ func TestMergeLogStreams(t *testing.T) { func TestMergeLogStreams_RaceCondition(_ *testing.T) { // Test for regression of this issue: https://github.com/argoproj/argo-cd/issues/7006 - for i := 0; i < 5000; i++ { + for i := range 5000 { first := make(chan logEntry) second := make(chan logEntry) diff --git a/server/application/terminal.go b/server/application/terminal.go index da20f712a9..cae647b24f 100644 --- a/server/application/terminal.go +++ b/server/application/terminal.go @@ -4,9 +4,10 @@ import ( "context" "io" "net/http" + "slices" "time" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" @@ -240,7 +241,7 @@ func (s *terminalHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { // load balancers which may close an idle connection after some period of time go session.StartKeepalives(time.Second * 5) - if isValidShell(s.allowedShells, shell) { + if slices.Contains(s.allowedShells, shell) { cmd := []string{shell} err = startProcess(kubeClientset, config, namespace, podName, container, cmd, session) } else { @@ -337,13 +338,3 @@ func startProcess(k8sClient kubernetes.Interface, cfg *rest.Config, namespace, p Tty: true, }) } - -// isValidShell checks if the shell is an allowed one -func isValidShell(validShells []string, shell string) bool { - for _, validShell := range validShells { - if validShell == shell { - return true - } - } - return false -} diff --git a/server/application/terminal_test.go b/server/application/terminal_test.go index 0a571adb0b..f39c082465 100644 --- a/server/application/terminal_test.go +++ b/server/application/terminal_test.go @@ -6,7 +6,7 @@ import ( "strings" "testing" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" diff --git a/server/applicationset/applicationset.go b/server/applicationset/applicationset.go index 35e52d76c5..97db9fd437 100644 --- a/server/applicationset/applicationset.go +++ b/server/applicationset/applicationset.go @@ -278,7 +278,7 @@ func (s *Server) updateAppSet(ctx context.Context, appset *v1alpha1.ApplicationS } } - for i := 0; i < 10; i++ { + for range 10 { appset.Spec = newAppset.Spec if merge { appset.Labels = collections.Merge(appset.Labels, newAppset.Labels) diff --git a/server/applicationset/applicationset_test.go b/server/applicationset/applicationset_test.go index 2be986ee15..03fa5c2781 100644 --- a/server/applicationset/applicationset_test.go +++ b/server/applicationset/applicationset_test.go @@ -7,7 +7,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" cr_fake "sigs.k8s.io/controller-runtime/pkg/client/fake" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" "github.com/argoproj/pkg/v2/sync" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/server/badge/badge.go b/server/badge/badge.go index ffca53900c..5243a856a8 100644 --- a/server/badge/badge.go +++ b/server/badge/badge.go @@ -8,7 +8,7 @@ import ( "strconv" "strings" - healthutil "github.com/argoproj/gitops-engine/pkg/health" + healthutil "github.com/argoproj/argo-cd/gitops-engine/pkg/health" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/validation" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -72,7 +72,7 @@ const ( ) func replaceFirstGroupSubMatch(re *regexp.Regexp, str string, repl string) string { - result := "" + var result strings.Builder lastIndex := 0 for _, v := range re.FindAllSubmatchIndex([]byte(str), -1) { @@ -81,11 +81,11 @@ func replaceFirstGroupSubMatch(re *regexp.Regexp, str string, repl string) strin groups = append(groups, str[v[i]:v[i+1]]) } - result += str[lastIndex:v[0]] + groups[0] + repl + result.WriteString(str[lastIndex:v[0]] + groups[0] + repl) lastIndex = v[1] } - return result + str[lastIndex:] + return result.String() + str[lastIndex:] } // ServeHTTP returns badge with health and sync status for application diff --git a/server/badge/badge_test.go b/server/badge/badge_test.go index 0997eef49b..2f28e808bb 100644 --- a/server/badge/badge_test.go +++ b/server/badge/badge_test.go @@ -12,7 +12,7 @@ import ( appclientset "github.com/argoproj/argo-cd/v3/pkg/client/clientset/versioned/fake" "github.com/argoproj/argo-cd/v3/util/settings" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" diff --git a/server/badge/color.go b/server/badge/color.go index c86042b536..1ab3c4e7f9 100644 --- a/server/badge/color.go +++ b/server/badge/color.go @@ -6,7 +6,7 @@ import ( appv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" ) var ( diff --git a/server/cluster/cluster.go b/server/cluster/cluster.go index 8b8883c80e..367bf5a9dd 100644 --- a/server/cluster/cluster.go +++ b/server/cluster/cluster.go @@ -6,7 +6,7 @@ import ( "net/url" "time" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -117,7 +117,7 @@ func filterClustersByName(clusters []appv1.Cluster, name string) []appv1.Cluster return clusters } items := make([]appv1.Cluster, 0) - for i := 0; i < len(clusters); i++ { + for i := range clusters { if clusters[i].Name == name { items = append(items, clusters[i]) return items @@ -131,7 +131,7 @@ func filterClustersByServer(clusters []appv1.Cluster, server string) []appv1.Clu return clusters } items := make([]appv1.Cluster, 0) - for i := 0; i < len(clusters); i++ { + for i := range clusters { if clusters[i].Server == server { items = append(items, clusters[i]) return items diff --git a/server/cluster/cluster_test.go b/server/cluster/cluster_test.go index c9d55bc0bf..16e503491b 100644 --- a/server/cluster/cluster_test.go +++ b/server/cluster/cluster_test.go @@ -8,7 +8,7 @@ import ( "testing" "time" - "github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/kubetest" "github.com/golang-jwt/jwt/v5" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" @@ -682,8 +682,6 @@ func TestListCluster(t *testing.T) { }, } for _, tt := range tests { - tt := tt - t.Run(tt.name, func(t *testing.T) { t.Parallel() diff --git a/server/deeplinks/deeplinks.go b/server/deeplinks/deeplinks.go index c08b081555..ea78c82ec7 100644 --- a/server/deeplinks/deeplinks.go +++ b/server/deeplinks/deeplinks.go @@ -6,7 +6,7 @@ import ( "text/template" "github.com/Masterminds/sprig/v3" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/expr-lang/expr" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/utils/ptr" diff --git a/server/deeplinks/deeplinks_test.go b/server/deeplinks/deeplinks_test.go index 2f25ab6d9f..13df146427 100644 --- a/server/deeplinks/deeplinks_test.go +++ b/server/deeplinks/deeplinks_test.go @@ -5,7 +5,7 @@ import ( "strings" "testing" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" diff --git a/server/extension/extension_test.go b/server/extension/extension_test.go index b267cb53bf..b83a56e63d 100644 --- a/server/extension/extension_test.go +++ b/server/extension/extension_test.go @@ -210,7 +210,6 @@ func TestRegisterExtensions(t *testing.T) { // when for _, tc := range cases { - tc := tc t.Run(tc.name, func(t *testing.T) { // given t.Parallel() diff --git a/server/project/project.go b/server/project/project.go index 3b6cc41849..b534e738df 100644 --- a/server/project/project.go +++ b/server/project/project.go @@ -6,7 +6,7 @@ import ( "reflect" "strings" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/argoproj/pkg/v2/sync" "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" @@ -547,7 +547,7 @@ func (s *Server) NormalizeProjs() error { return status.Errorf(codes.Internal, "Error retrieving project list: %s", err.Error()) } for _, proj := range projList.Items { - for i := 0; i < 3; i++ { + for i := range 3 { if !proj.NormalizeJWTTokens() { break } diff --git a/server/repository/repository.go b/server/repository/repository.go index e7bbe17763..30ff87167d 100644 --- a/server/repository/repository.go +++ b/server/repository/repository.go @@ -6,8 +6,8 @@ import ( "reflect" "sort" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/text" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/text" log "github.com/sirupsen/logrus" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -127,6 +127,7 @@ func (s *Server) getConnectionState(ctx context.Context, url string, project str } // List returns list of repositories +// // Deprecated: Use ListRepositories instead func (s *Server) List(ctx context.Context, q *repositorypkg.RepoQuery) (*v1alpha1.RepositoryList, error) { return s.ListRepositories(ctx, q) @@ -425,6 +426,7 @@ func (s *Server) GetHelmCharts(ctx context.Context, q *repositorypkg.RepoQuery) } // Create creates a repository or repository credential set +// // Deprecated: Use CreateRepository() instead func (s *Server) Create(ctx context.Context, q *repositorypkg.RepoCreateRequest) (*v1alpha1.Repository, error) { return s.CreateRepository(ctx, q) @@ -535,6 +537,7 @@ func (s *Server) CreateWriteRepository(ctx context.Context, q *repositorypkg.Rep } // Update updates a repository or credential set +// // Deprecated: Use UpdateRepository() instead func (s *Server) Update(ctx context.Context, q *repositorypkg.RepoUpdateRequest) (*v1alpha1.Repository, error) { return s.UpdateRepository(ctx, q) @@ -591,6 +594,7 @@ func (s *Server) UpdateWriteRepository(ctx context.Context, q *repositorypkg.Rep } // Delete removes a repository from the configuration +// // Deprecated: Use DeleteRepository() instead func (s *Server) Delete(ctx context.Context, q *repositorypkg.RepoQuery) (*repositorypkg.RepoResponse, error) { return s.DeleteRepository(ctx, q) @@ -787,6 +791,14 @@ func (s *Server) isRepoPermittedInProject(ctx context.Context, repo string, proj // isSourceInHistory checks if the supplied application source is either our current application // source, or was something which we synced to previously. func isSourceInHistory(app *v1alpha1.Application, source v1alpha1.ApplicationSource, index int32, versionId int32) bool { + if app.Spec.SourceHydrator != nil { + drySource := app.Spec.SourceHydrator.GetDrySource() + syncSource := app.Spec.SourceHydrator.GetSyncSource() + if source.Equals(&drySource) || source.Equals(&syncSource) { + return true + } + return false + } // We have to check if the spec is within the source or sources split // and then iterate over the historical if app.Spec.HasMultipleSources() { diff --git a/server/server.go b/server/server.go index 7f872adc49..29a4823419 100644 --- a/server/server.go +++ b/server/server.go @@ -44,8 +44,11 @@ import ( log "github.com/sirupsen/logrus" "github.com/soheilhy/cmux" "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc" + "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp" "go.opentelemetry.io/otel" + otel_codes "go.opentelemetry.io/otel/codes" "go.opentelemetry.io/otel/propagation" + "go.opentelemetry.io/otel/trace" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/credentials" @@ -166,6 +169,9 @@ var ( enableGRPCTimeHistogram = true ) +// OpenTelemetry tracer for this package +var tracer trace.Tracer + func init() { maxConcurrentLoginRequestsCount = env.ParseNumFromEnv(maxConcurrentLoginRequestsCountEnv, maxConcurrentLoginRequestsCount, 0, math.MaxInt32) replicasCount = env.ParseNumFromEnv(replicasCountEnv, replicasCount, 0, math.MaxInt32) @@ -173,6 +179,7 @@ func init() { maxConcurrentLoginRequestsCount = maxConcurrentLoginRequestsCount / replicasCount } enableGRPCTimeHistogram = env.ParseBoolFromEnv(common.EnvEnableGRPCTimeHistogramEnv, false) + tracer = otel.Tracer("github.com/argoproj/argo-cd/v3/server") } // ArgoCDServer is the API server for Argo CD @@ -674,59 +681,47 @@ func (server *ArgoCDServer) Run(ctx context.Context, listeners *Listeners) { var wg gosync.WaitGroup // Shutdown http server - wg.Add(1) - go func() { - defer wg.Done() + wg.Go(func() { err := httpS.Shutdown(shutdownCtx) if err != nil { log.Errorf("Error shutting down http server: %s", err) } - }() + }) if server.useTLS() { // Shutdown https server - wg.Add(1) - go func() { - defer wg.Done() + wg.Go(func() { err := httpsS.Shutdown(shutdownCtx) if err != nil { log.Errorf("Error shutting down https server: %s", err) } - }() + }) } // Shutdown gRPC server - wg.Add(1) - go func() { - defer wg.Done() + wg.Go(func() { grpcS.GracefulStop() - }() + }) // Shutdown metrics server - wg.Add(1) - go func() { - defer wg.Done() + wg.Go(func() { err := metricsServ.Shutdown(shutdownCtx) if err != nil { log.Errorf("Error shutting down metrics server: %s", err) } - }() + }) if server.useTLS() { // Shutdown tls server - wg.Add(1) - go func() { - defer wg.Done() + wg.Go(func() { tlsm.Close() - }() + }) } // Shutdown tcp server - wg.Add(1) - go func() { - defer wg.Done() + wg.Go(func() { tcpm.Close() - }() + }) c := make(chan struct{}) // This goroutine will wait for all servers to conclude the shutdown @@ -1176,8 +1171,8 @@ func (server *ArgoCDServer) newHTTPServer(ctx context.Context, port int, grpcWeb Handler: &handlerSwitcher{ handler: mux, urlToHandler: map[string]http.Handler{ - "/api/badge": badge.NewHandler(server.AppClientset, server.settingsMgr, server.Namespace, server.ApplicationNamespaces), - common.LogoutEndpoint: logout.NewHandler(server.settingsMgr, server.sessionMgr, server.RootPath, server.BaseHRef), + "/api/badge": otelhttp.NewHandler(badge.NewHandler(server.AppClientset, server.settingsMgr, server.Namespace, server.ApplicationNamespaces), "server.ArgoCDServer/badge"), + common.LogoutEndpoint: otelhttp.NewHandler(logout.NewHandler(server.settingsMgr, server.sessionMgr, server.RootPath, server.BaseHRef), "server.ArgoCDServer/logout"), }, contentTypeToHandler: map[string]http.Handler{ "application/grpc-web+proto": grpcWebHandler, @@ -1305,7 +1300,7 @@ func registerExtensions(mux *http.ServeMux, a *ArgoCDServer, metricsReg HTTPMetr extHandler := http.HandlerFunc(a.extensionManager.CallExtension()) authMiddleware := a.sessionMgr.AuthMiddlewareFunc(a.DisableAuth, a.settings.IsSSOConfigured(), a.ssoClientApp) // auth middleware ensures that requests to all extensions are authenticated first - mux.Handle(extension.URLPrefix+"/", authMiddleware(extHandler)) + mux.Handle(extension.URLPrefix+"/", otelhttp.NewHandler(authMiddleware(extHandler), "server.ArgoCDServer/extensions")) a.extensionManager.AddMetricsRegistry(metricsReg) @@ -1363,9 +1358,10 @@ func (server *ArgoCDServer) registerDexHandlers(mux *http.ServeMux) { return } // Run dex OpenID Connect Identity Provider behind a reverse proxy (served at /api/dex) - mux.HandleFunc(common.DexAPIEndpoint+"/", dexutil.NewDexHTTPReverseProxy(server.DexServerAddr, server.BaseHRef, server.DexTLSConfig)) - mux.HandleFunc(common.LoginEndpoint, server.ssoClientApp.HandleLogin) - mux.HandleFunc(common.CallbackEndpoint, server.ssoClientApp.HandleCallback) + mux.Handle(common.DexAPIEndpoint+"/", otelhttp.NewHandler(http.HandlerFunc(dexutil.NewDexHTTPReverseProxy(server.DexServerAddr, server.BaseHRef, server.DexTLSConfig)), "server.dex/Proxy")) + + mux.Handle(common.LoginEndpoint, otelhttp.NewHandler(http.HandlerFunc(server.ssoClientApp.HandleLogin), "server.ClientApp/HandleLogin")) + mux.Handle(common.CallbackEndpoint, otelhttp.NewHandler(http.HandlerFunc(server.ssoClientApp.HandleCallback), "server.ClientApp/HandleCallback")) } // newRedirectServer returns an HTTP server which does a 307 redirect to the HTTPS server @@ -1451,7 +1447,7 @@ func (server *ArgoCDServer) uiAssetExists(filename string) bool { func (server *ArgoCDServer) newStaticAssetsHandler() func(http.ResponseWriter, *http.Request) { return func(w http.ResponseWriter, r *http.Request) { acceptHTML := false - for _, acceptType := range strings.Split(r.Header.Get("Accept"), ",") { + for acceptType := range strings.SplitSeq(r.Header.Get("Accept"), ",") { if acceptType == "text/html" || acceptType == "html" { acceptHTML = true break @@ -1522,6 +1518,9 @@ func replaceBaseHRef(data string, replaceWith string) string { // Authenticate checks for the presence of a valid token when accessing server-side resources. func (server *ArgoCDServer) Authenticate(ctx context.Context) (context.Context, error) { + var span trace.Span + ctx, span = tracer.Start(ctx, "server.ArgoCDServer.Authenticate") + defer span.End() if server.DisableAuth { return ctx, nil } @@ -1561,18 +1560,24 @@ func (server *ArgoCDServer) Authenticate(ctx context.Context) (context.Context, // getClaims extracts, validates and refreshes a JWT token from an incoming request context. func (server *ArgoCDServer) getClaims(ctx context.Context) (jwt.Claims, string, error) { + var span trace.Span + ctx, span = tracer.Start(ctx, "server.ArgoCDServer.getClaims") + defer span.End() md, ok := metadata.FromIncomingContext(ctx) if !ok { + span.SetStatus(otel_codes.Error, ErrNoSession.Error()) return nil, "", ErrNoSession } tokenString := getToken(md) if tokenString == "" { + span.SetStatus(otel_codes.Error, ErrNoSession.Error()) return nil, "", ErrNoSession } // A valid argocd-issued token is automatically refreshed here prior to expiration. // OIDC tokens will be verified but will not be refreshed here. claims, newToken, err := server.sessionMgr.VerifyToken(ctx, tokenString) if err != nil { + span.SetStatus(otel_codes.Error, err.Error()) return claims, "", status.Errorf(codes.Unauthenticated, "invalid session: %v", err) } diff --git a/server/server_norace_test.go b/server/server_norace_test.go index dcbdf12be6..c08382f23f 100644 --- a/server/server_norace_test.go +++ b/server/server_norace_test.go @@ -1,5 +1,4 @@ //go:build !race -// +build !race package server diff --git a/server/session/ratelimiter_test.go b/server/session/ratelimiter_test.go index 0c2a19034c..0d73aae824 100644 --- a/server/session/ratelimiter_test.go +++ b/server/session/ratelimiter_test.go @@ -13,7 +13,7 @@ import ( func TestRateLimiter(t *testing.T) { var closers []utilio.Closer limiter := NewLoginRateLimiter(10) - for i := 0; i < 10; i++ { + for range 10 { closer, err := limiter() require.NoError(t, err) closers = append(closers, closer) diff --git a/sonar-project.properties b/sonar-project.properties index 21dad92e68..b24cb1d00b 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -8,7 +8,8 @@ sonar.projectVersion=1.0 # Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows. sonar.sources=. -sonar.exclusions=docs/** +# Exclude docs and testdata with kustomization files (Sonar IaC parser fails on empty/edge-case YAML) +sonar.exclusions=docs/**,**/testdata/** # Encoding of the source code. Default is default system encoding sonar.sourceEncoding=UTF-8 @@ -24,5 +25,5 @@ sonar.go.exclusions=**/vendor/**,**/*.pb.go,**/*_test.go,**/*.pb.gw.go,**/mocks/ # Exclude following set of patterns from duplication detection sonar.cpd.exclusions=**/*.pb.go,**/*.g.cs,**/*.gw.go,**/mocks/*,docs/** -# Exclude test manifests from analysis -sonar.kubernetes.exclusions=controller/testdata/**,test/**,util/kustomize/testdata/** +# Exclude test manifests from analysis (avoids Sonar IaC parser errors on empty/edge-case kustomization files) +sonar.kubernetes.exclusions=controller/testdata/**,test/**,util/kustomize/testdata/**,util/app/discovery/testdata/**,reposerver/repository/testdata/** diff --git a/test/container/Dockerfile b/test/container/Dockerfile index 822f791b7a..0ebe631e00 100644 --- a/test/container/Dockerfile +++ b/test/container/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/redis:8.2.3@sha256:7cb87cb4aa89150d17589e35f74162e64736843401675f6bd3c1ef68bbbe7889 AS redis +FROM docker.io/library/redis:8.6.0@sha256:7b6fb55d8b0adcd77269dc52b3cfffe5f59ca5d43dec3c90dbe18aacce7942e1 AS redis # There are libraries we will want to copy from here in the final stage of the # build, but the COPY directive does not have a way to determine system @@ -8,13 +8,13 @@ RUN ln -s /usr/lib/$(uname -m)-linux-gnu /usr/lib/linux-gnu # Please make sure to also check the contained yarn version and update the references below when upgrading this image's version FROM docker.io/library/node:22.9.0@sha256:8398ea18b8b72817c84af283f72daed9629af2958c4f618fe6db4f453c5c9328 AS node -FROM docker.io/library/golang:1.25.1@sha256:d7098379b7da665ab25b99795465ec320b1ca9d4addb9f77409c4827dc904211 AS golang +FROM docker.io/library/golang:1.26.0@sha256:c83e68f3ebb6943a2904fa66348867d108119890a2c6a2e6f07b38d0eb6c25c5 AS golang -FROM docker.io/library/registry:3.0@sha256:cd92709b4191c5779cd7215ccd695db6c54652e7a62843197e367427efb84d0e AS registry +FROM docker.io/library/registry:3.0@sha256:6c5666b861f3505b116bb9aa9b25175e71210414bd010d92035ff64018f9457e AS registry FROM docker.io/bitnamilegacy/kubectl:1.32@sha256:9524faf8e3cefb47fa28244a5d15f95ec21a73d963273798e593e61f80712333 AS kubectl -FROM docker.io/library/ubuntu:25.10@sha256:5922638447b1e3ba114332c896a2c7288c876bb94adec923d70d58a17d2fec5e +FROM docker.io/library/ubuntu:26.04@sha256:fed6ddb82c61194e1814e93b59cfcb6759e5aa33c4e41bb3782313c2386ed6df ENV DEBIAN_FRONTEND=noninteractive @@ -28,7 +28,6 @@ RUN apt-get update && apt-get install --fix-missing --no-install-recommends -y nginx \ fcgiwrap \ git \ - git-lfs \ gpg \ gpg-agent \ jq \ @@ -54,6 +53,12 @@ ENV PATH=/dist:/go/bin:/usr/local/go/bin:/go/src/github.com/argoproj/argo-cd/dis ENV GOROOT=/usr/local/go ENV GOPATH=/go +# Disable gRPC service config lookups via DNS TXT records to prevent excessive +# DNS queries for _grpc_config. which can cause timeouts in dual-stack +# environments. This can be overridden via argocd-cmd-params-cm ConfigMap. +# See https://github.com/argoproj/argo-cd/issues/24991 +ENV GRPC_ENABLE_TXT_SERVICE_CONFIG=false + # Install build and test dependencies COPY hack/install.sh hack/tool-versions.sh go.* ./ COPY hack/installers installers @@ -65,6 +70,7 @@ RUN ./install.sh helm && \ ./install.sh codegen-go-tools && \ ./install.sh lint-tools && \ ./install.sh gotestsum && \ + ./install.sh git-lfs && \ go install github.com/mattn/goreman@latest && \ go install github.com/kisielk/godepgraph@latest && \ go install github.com/jstemmer/go-junit-report@latest && \ diff --git a/test/container/Procfile b/test/container/Procfile index 9aeee211b1..9193127652 100644 --- a/test/container/Procfile +++ b/test/container/Procfile @@ -11,5 +11,5 @@ fcgiwrap: sudo sh -c "test $ARGOCD_E2E_TEST = true && (fcgiwrap -s unix:/var/run nginx: sudo sh -c "test $ARGOCD_E2E_TEST = true && nginx -g 'daemon off;' -c $(pwd)/test/fixture/testrepos/nginx.conf" helm-registry: sudo sh -c "OTEL_TRACES_EXPORTER=none REGISTRY_LOG_LEVEL=info registry serve /etc/docker/registry/config.yml" dev-mounter: test "$ARGOCD_E2E_TEST" != "true" && go run hack/dev-mounter/main.go --configmap argocd-ssh-known-hosts-cm=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} --configmap argocd-tls-certs-cm=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} --configmap argocd-gpg-keys-cm=${ARGOCD_GPG_DATA_PATH:-/tmp/argocd-local/gpg/source} -applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}" +applicationset-controller: [ "$BIN_MODE" = 'true' ] && COMMAND=./dist/argocd || COMMAND='go run ./cmd/main.go' && sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS=${ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS:-true} ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_SSH_DATA_PATH=${ARGOCD_SSH_DATA_PATH:-/tmp/argocd-local/ssh} ARGOCD_BINARY_NAME=argocd-applicationset-controller $COMMAND --loglevel debug --metrics-addr localhost:12345 --probe-addr localhost:12346 --argocd-repo-server localhost:${ARGOCD_E2E_REPOSERVER_PORT:-8081}" notification: sh -c "FORCE_LOG_COLORS=4 ARGOCD_FAKE_IN_CLUSTER=true ARGOCD_TLS_DATA_PATH=${ARGOCD_TLS_DATA_PATH:-/tmp/argocd-local/tls} ARGOCD_BINARY_NAME=argocd-notifications go run ./cmd/main.go --loglevel debug" diff --git a/test/e2e/admin_test.go b/test/e2e/admin_test.go index 5cabf440a4..95b2f64e61 100644 --- a/test/e2e/admin_test.go +++ b/test/e2e/admin_test.go @@ -3,7 +3,7 @@ package e2e import ( "testing" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/test/e2e/app_autosync_ns_test.go b/test/e2e/app_autosync_ns_test.go index f0fd7df0fe..65d668aafa 100644 --- a/test/e2e/app_autosync_ns_test.go +++ b/test/e2e/app_autosync_ns_test.go @@ -3,7 +3,7 @@ package e2e import ( "testing" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" diff --git a/test/e2e/app_autosync_test.go b/test/e2e/app_autosync_test.go index a6e28130d5..42f56b19e9 100644 --- a/test/e2e/app_autosync_test.go +++ b/test/e2e/app_autosync_test.go @@ -5,7 +5,7 @@ import ( "testing" "time" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" diff --git a/test/e2e/app_deletion_test.go b/test/e2e/app_deletion_test.go index e34741745e..3be5fa5b54 100644 --- a/test/e2e/app_deletion_test.go +++ b/test/e2e/app_deletion_test.go @@ -3,7 +3,7 @@ package e2e import ( "testing" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/test/e2e/app_management_ns_test.go b/test/e2e/app_management_ns_test.go index d2586c48ed..4275d377fa 100644 --- a/test/e2e/app_management_ns_test.go +++ b/test/e2e/app_management_ns_test.go @@ -9,10 +9,10 @@ import ( "testing" "time" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/test/e2e/app_management_test.go b/test/e2e/app_management_test.go index 7612f28a0c..16dee8539f 100644 --- a/test/e2e/app_management_test.go +++ b/test/e2e/app_management_test.go @@ -7,10 +7,10 @@ import ( "testing" "time" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/test/e2e/app_namespaces_test.go b/test/e2e/app_namespaces_test.go index 0d9ec52e3f..e0ca30c01e 100644 --- a/test/e2e/app_namespaces_test.go +++ b/test/e2e/app_namespaces_test.go @@ -3,7 +3,7 @@ package e2e import ( "testing" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/test/e2e/applicationset_progressive_sync_test.go b/test/e2e/applicationset_progressive_sync_test.go new file mode 100644 index 0000000000..ec7fa05835 --- /dev/null +++ b/test/e2e/applicationset_progressive_sync_test.go @@ -0,0 +1,673 @@ +package e2e + +import ( + "os" + "testing" + "time" + + "github.com/stretchr/testify/require" + + apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" + + "github.com/argoproj/argo-cd/v3/pkg/apis/application" + "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" + "github.com/argoproj/argo-cd/v3/test/e2e/fixture" + . "github.com/argoproj/argo-cd/v3/test/e2e/fixture/applicationsets" + + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + TransitionTimeout = 60 * time.Second +) + +func TestApplicationSetProgressiveSyncStep(t *testing.T) { + if os.Getenv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS") != "true" { + t.Skip("Skipping progressive sync tests - env variable not set to enable progressive sync") + } + expectedDevApp := v1alpha1.Application{ + TypeMeta: metav1.TypeMeta{ + Kind: application.ApplicationKind, + APIVersion: "argoproj.io/v1alpha1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "app1-dev", + Namespace: fixture.TestNamespace(), + Labels: map[string]string{ + "environment": "dev", + }, + Finalizers: []string{ + "resources-finalizer.argocd.argoproj.io", + }, + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "default", + Source: &v1alpha1.ApplicationSource{ + RepoURL: "https://github.com/argoproj/argocd-example-apps.git", + Path: "guestbook", + TargetRevision: "HEAD", + }, + Destination: v1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "app1", + }, + }, + } + + expectedStageApp := v1alpha1.Application{ + TypeMeta: metav1.TypeMeta{ + Kind: application.ApplicationKind, + APIVersion: "argoproj.io/v1alpha1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "app2-staging", + Namespace: fixture.TestNamespace(), + Labels: map[string]string{ + "environment": "staging", + }, + Finalizers: []string{ + "resources-finalizer.argocd.argoproj.io", + }, + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "default", + Source: &v1alpha1.ApplicationSource{ + RepoURL: "https://github.com/argoproj/argocd-example-apps.git", + Path: "guestbook", + TargetRevision: "HEAD", + }, + Destination: v1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "app2", + }, + }, + } + expectedProdApp := v1alpha1.Application{ + TypeMeta: metav1.TypeMeta{ + Kind: application.ApplicationKind, + APIVersion: "argoproj.io/v1alpha1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: "app3-prod", + Namespace: fixture.TestNamespace(), + Labels: map[string]string{ + "environment": "prod", + }, + Finalizers: []string{ + "resources-finalizer.argocd.argoproj.io", + }, + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "default", + Source: &v1alpha1.ApplicationSource{ + RepoURL: "https://github.com/argoproj/argocd-example-apps.git", + Path: "guestbook", + TargetRevision: "HEAD", + }, + Destination: v1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "app3", + }, + }, + } + + Given(t). + When(). + Create(v1alpha1.ApplicationSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "progressive-sync-apps", + }, + Spec: v1alpha1.ApplicationSetSpec{ + GoTemplate: true, + Template: v1alpha1.ApplicationSetTemplate{ + ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{ + Name: "{{.name}}-{{.environment}}", + Namespace: fixture.TestNamespace(), + Labels: map[string]string{ + "environment": "{{.environment}}", + }, + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "default", + Source: &v1alpha1.ApplicationSource{ + RepoURL: "https://github.com/argoproj/argocd-example-apps.git", + Path: "guestbook", + TargetRevision: "HEAD", + }, + Destination: v1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "{{.name}}", + }, + SyncPolicy: &v1alpha1.SyncPolicy{ + SyncOptions: v1alpha1.SyncOptions{"CreateNamespace=true"}, + }, + }, + }, + Generators: []v1alpha1.ApplicationSetGenerator{ + { + List: &v1alpha1.ListGenerator{ + Elements: []apiextensionsv1.JSON{ + {Raw: []byte(`{"name": "app1", "environment": "dev"}`)}, + {Raw: []byte(`{"name": "app2", "environment": "staging"}`)}, + {Raw: []byte(`{"name": "app3", "environment": "prod"}`)}, + }, + }, + }, + }, + Strategy: &v1alpha1.ApplicationSetStrategy{ + Type: "RollingSync", + RollingSync: &v1alpha1.ApplicationSetRolloutStrategy{ + Steps: generateStandardRolloutSyncSteps(), + }, + }, + }, + }). + Then(). + And(func() { + t.Log("ApplicationSet created ") + }). + Expect(ApplicationsExist([]v1alpha1.Application{expectedDevApp, expectedStageApp, expectedProdApp})). + And(func() { + t.Log("All applications exist") + }). + ExpectWithDuration(CheckApplicationInRightSteps("1", []string{"app1-dev"}), TransitionTimeout). + ExpectWithDuration(CheckApplicationInRightSteps("2", []string{"app2-staging"}), time.Second*5). + ExpectWithDuration(CheckApplicationInRightSteps("3", []string{"app3-prod"}), time.Second*5). + // cleanup + When(). + Delete(). + Then(). + ExpectWithDuration(ApplicationsDoNotExist([]v1alpha1.Application{expectedDevApp, expectedStageApp, expectedProdApp}), time.Minute) +} + +func TestProgressiveSyncHealthGating(t *testing.T) { + if os.Getenv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS") != "true" { + t.Skip("Skipping progressive sync tests - ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS not enabled") + } + expectedDevApp := generateExpectedApp("prog-", "progressive-sync/", "dev", "dev") + expectedStageApp := generateExpectedApp("prog-", "progressive-sync/", "staging", "staging") + expectedProdApp := generateExpectedApp("prog-", "progressive-sync/", "prod", "prod") + + expectedStatusWave1 := map[string]v1alpha1.ApplicationSetApplicationStatus{ + "prog-dev": { + Application: "prog-dev", + Status: v1alpha1.ProgressiveSyncProgressing, + }, + "prog-staging": { + Application: "prog-staging", + Status: v1alpha1.ProgressiveSyncWaiting, + }, + "prog-prod": { + Application: "prog-prod", + Status: v1alpha1.ProgressiveSyncWaiting, + }, + } + + expectedStatusWave2 := map[string]v1alpha1.ApplicationSetApplicationStatus{ + "prog-dev": { + Application: "prog-dev", + Status: v1alpha1.ProgressiveSyncHealthy, + }, + "prog-staging": { + Application: "prog-staging", + Status: v1alpha1.ProgressiveSyncProgressing, + }, + "prog-prod": { + Application: "prog-prod", + Status: v1alpha1.ProgressiveSyncWaiting, + }, + } + + expectedStatusWave3 := map[string]v1alpha1.ApplicationSetApplicationStatus{ + "prog-dev": { + Application: "prog-dev", + Status: v1alpha1.ProgressiveSyncHealthy, + }, + "prog-staging": { + Application: "prog-staging", + Status: v1alpha1.ProgressiveSyncHealthy, + }, + "prog-prod": { + Application: "prog-prod", + Status: v1alpha1.ProgressiveSyncProgressing, + }, + } + + expectedAllHealthy := map[string]v1alpha1.ApplicationSetApplicationStatus{ + "prog-dev": { + Application: "prog-dev", + Status: v1alpha1.ProgressiveSyncHealthy, + }, + "prog-staging": { + Application: "prog-staging", + Status: v1alpha1.ProgressiveSyncHealthy, + }, + "prog-prod": { + Application: "prog-prod", + Status: v1alpha1.ProgressiveSyncHealthy, + }, + } + + Given(t). + When(). + Create(v1alpha1.ApplicationSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "progressive-sync-gating", + }, + Spec: v1alpha1.ApplicationSetSpec{ + GoTemplate: true, + Template: v1alpha1.ApplicationSetTemplate{ + ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{ + Name: "prog-{{.environment}}", + Namespace: fixture.TestNamespace(), + Labels: map[string]string{ + "environment": "{{.environment}}", + }, + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "default", + Source: &v1alpha1.ApplicationSource{ + RepoURL: fixture.RepoURL(fixture.RepoURLTypeFile), + Path: "progressive-sync/{{.environment}}", + TargetRevision: "HEAD", + }, + Destination: v1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "prog-{{.environment}}", + }, + SyncPolicy: &v1alpha1.SyncPolicy{ + SyncOptions: v1alpha1.SyncOptions{"CreateNamespace=true"}, + }, + }, + }, + Generators: []v1alpha1.ApplicationSetGenerator{ + { + List: &v1alpha1.ListGenerator{ + Elements: []apiextensionsv1.JSON{ + {Raw: []byte(`{"environment": "dev"}`)}, + {Raw: []byte(`{"environment": "staging"}`)}, + {Raw: []byte(`{"environment": "prod"}`)}, + }, + }, + }, + }, + Strategy: &v1alpha1.ApplicationSetStrategy{ + Type: "RollingSync", + RollingSync: &v1alpha1.ApplicationSetRolloutStrategy{ + Steps: generateStandardRolloutSyncSteps(), + }, + }, + }, + }). + Then(). + Expect(ApplicationsExist([]v1alpha1.Application{expectedDevApp, expectedStageApp, expectedProdApp})). + And(func() { + t.Log("ApplicationSet created") + t.Log("Checking Dev app should be stuck in Progressing (invalid image)") + t.Log("Verifying staging and prod are Waiting") + }). + ExpectWithDuration(CheckProgressiveSyncStatusCodeOfApplications(expectedStatusWave1), TransitionTimeout). + And(func() { + // Patch deployment to use valid image + fixture.Patch(t, "progressive-sync/dev/deployment.yaml", `[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value": "quay.io/argoprojlabs/argocd-e2e-container:0.1"}]`) + // Refresh the app to detect git changes + _, err := fixture.RunCli("app", "get", "prog-dev", "--refresh") + require.NoError(t, err) + t.Log("After patching image and refreshing, Dev app should progress to Healthy") + t.Log("Staging app should now be in Progressing, and prod is waiting") + }). + ExpectWithDuration(CheckProgressiveSyncStatusCodeOfApplications(expectedStatusWave2), TransitionTimeout). + And(func() { + // Patch deployment to use valid image + fixture.Patch(t, "progressive-sync/staging/deployment.yaml", `[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value": "quay.io/argoprojlabs/argocd-e2e-container:0.1"}]`) + // Refresh the app to detect git changes + _, err := fixture.RunCli("app", "get", "prog-staging", "--refresh") + require.NoError(t, err) + t.Log("Dev and staging are now Healthy") + t.Log("check Prod app is progressing") + }). + ExpectWithDuration(CheckProgressiveSyncStatusCodeOfApplications(expectedStatusWave3), TransitionTimeout). + And(func() { + // Patch deployment to use valid image + fixture.Patch(t, "progressive-sync/prod/deployment.yaml", `[{"op": "replace", "path": "/spec/template/spec/containers/0/image", "value": "quay.io/argoprojlabs/argocd-e2e-container:0.1"}]`) + // Refresh the app to detect git changes + _, err := fixture.RunCli("app", "get", "prog-prod", "--refresh") + require.NoError(t, err) + }). + ExpectWithDuration(CheckProgressiveSyncStatusCodeOfApplications(expectedAllHealthy), TransitionTimeout). + And(func() { + t.Log("progressive sync verified") + t.Log("Dev progressed first") + t.Log("Staging waited until Dev was Healthy") + t.Log("Prod waited until Staging was Healthy") + }). + // Cleanup + When(). + Delete(). + Then(). + ExpectWithDuration(ApplicationsDoNotExist([]v1alpha1.Application{expectedDevApp, expectedStageApp, expectedProdApp}), TransitionTimeout) +} + +func TestNoApplicationStatusWhenNoSteps(t *testing.T) { + if os.Getenv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS") != "true" { + t.Skip("Skipping progressive sync tests - ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS not enabled") + } + + expectedConditions := []v1alpha1.ApplicationSetCondition{ + { + Type: v1alpha1.ApplicationSetConditionErrorOccurred, + Status: v1alpha1.ApplicationSetConditionStatusFalse, + Message: "All applications have been generated successfully", + Reason: v1alpha1.ApplicationSetReasonApplicationSetUpToDate, + }, + { + Type: v1alpha1.ApplicationSetConditionParametersGenerated, + Status: v1alpha1.ApplicationSetConditionStatusTrue, + Message: "Successfully generated parameters for all Applications", + Reason: v1alpha1.ApplicationSetReasonParametersGenerated, + }, + { + Type: v1alpha1.ApplicationSetConditionResourcesUpToDate, + Status: v1alpha1.ApplicationSetConditionStatusTrue, + Message: "All applications have been generated successfully", + Reason: v1alpha1.ApplicationSetReasonApplicationSetUpToDate, + }, + { + Type: v1alpha1.ApplicationSetConditionRolloutProgressing, + Status: v1alpha1.ApplicationSetConditionStatusFalse, + Message: "ApplicationSet Rollout has completed", + Reason: v1alpha1.ApplicationSetReasonApplicationSetRolloutComplete, + }, + } + + expectedApps := []v1alpha1.Application{ + generateExpectedApp("prog-", "progressive-sync/", "dev", "dev"), + generateExpectedApp("prog-", "progressive-sync/", "staging", "staging"), + generateExpectedApp("prog-", "progressive-sync/", "prod", "prod"), + } + Given(t). + When(). + Create(appSetInvalidStepConfiguration). + Then(). + Expect(ApplicationSetHasConditions(expectedConditions)). // TODO: when no steps created, condition should reflect that. + Expect(ApplicationSetDoesNotHaveApplicationStatus()). + // Cleanup + When(). + Delete(). + Then(). + ExpectWithDuration(ApplicationsDoNotExist(expectedApps), TransitionTimeout) +} + +func TestNoApplicationStatusWhenNoApplications(t *testing.T) { + if os.Getenv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS") != "true" { + t.Skip("Skipping progressive sync tests - ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS not enabled") + } + expectedApps := []v1alpha1.Application{ + generateExpectedApp("prog-", "progressive-sync/", "dev", "dev"), + generateExpectedApp("prog-", "progressive-sync/", "staging", "staging"), + generateExpectedApp("prog-", "progressive-sync/", "prod", "prod"), + } + Given(t). + When(). + Create(appSetWithEmptyGenerator). + Then(). + Expect(ApplicationsDoNotExist(expectedApps)). + Expect(ApplicationSetDoesNotHaveApplicationStatus()). + // Cleanup + When(). + Delete(). + Then(). + Expect(ApplicationsDoNotExist(expectedApps)) +} + +func TestProgressiveSyncMultipleAppsPerStep(t *testing.T) { + if os.Getenv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS") != "true" { + t.Skip("Skipping progressive sync tests - ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS not enabled") + } + expectedApps := []v1alpha1.Application{ + generateExpectedApp("prog-", "progressive-sync/multiple-apps-in-step/dev/", "sketch", "dev"), + generateExpectedApp("prog-", "progressive-sync/multiple-apps-in-step/dev/", "build", "dev"), + generateExpectedApp("prog-", "progressive-sync/multiple-apps-in-step/staging/", "verify", "staging"), + generateExpectedApp("prog-", "progressive-sync/multiple-apps-in-step/staging/", "validate", "staging"), + generateExpectedApp("prog-", "progressive-sync/multiple-apps-in-step/prod/", "ship", "prod"), + generateExpectedApp("prog-", "progressive-sync/multiple-apps-in-step/prod/", "run", "prod"), + } + Given(t). + When(). + Create(appSetWithMultipleAppsInEachStep). + Then(). + Expect(ApplicationsExist(expectedApps)). + Expect(CheckApplicationInRightSteps("1", []string{"prog-sketch", "prog-build"})). + Expect(CheckApplicationInRightSteps("2", []string{"prog-verify", "prog-validate"})). + Expect(CheckApplicationInRightSteps("3", []string{"prog-ship", "prog-run"})). + ExpectWithDuration(ApplicationSetHasApplicationStatus(6), TransitionTimeout). + // Cleanup + When(). + Delete(). + Then(). + Expect(ApplicationsDoNotExist(expectedApps)) +} + +var appSetInvalidStepConfiguration = v1alpha1.ApplicationSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "invalid-step-configuration", + }, + TypeMeta: metav1.TypeMeta{ + Kind: "ApplicationSet", + APIVersion: "argoproj.io/v1alpha1", + }, + Spec: v1alpha1.ApplicationSetSpec{ + GoTemplate: true, + Template: v1alpha1.ApplicationSetTemplate{ + ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{ + Name: "prog-{{.environment}}", + Namespace: fixture.TestNamespace(), + Labels: map[string]string{ + "environment": "{{.environment}}", + }, + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "default", + Source: &v1alpha1.ApplicationSource{ + RepoURL: fixture.RepoURL(fixture.RepoURLTypeFile), + Path: "progressive-sync/{{.environment}}", + TargetRevision: "HEAD", + }, + Destination: v1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "prog-{{.environment}}", + }, + SyncPolicy: &v1alpha1.SyncPolicy{ + SyncOptions: v1alpha1.SyncOptions{"CreateNamespace=true"}, + }, + }, + }, + Generators: []v1alpha1.ApplicationSetGenerator{ + { + List: &v1alpha1.ListGenerator{ + Elements: []apiextensionsv1.JSON{ + {Raw: []byte(`{"environment": "dev"}`)}, + {Raw: []byte(`{"environment": "staging"}`)}, + {Raw: []byte(`{"environment": "prod"}`)}, + }, + }, + }, + }, + Strategy: &v1alpha1.ApplicationSetStrategy{ + Type: "RollingSync", + RollingSync: &v1alpha1.ApplicationSetRolloutStrategy{ + Steps: []v1alpha1.ApplicationSetRolloutStep{ + // Empty Steps with Rolling Sync shouldn't trigger + }, + }, + }, + }, +} + +var appSetWithEmptyGenerator = v1alpha1.ApplicationSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "appset-empty-generator", + }, + TypeMeta: metav1.TypeMeta{ + Kind: "ApplicationSet", + APIVersion: "argoproj.io/v1alpha1", + }, + Spec: v1alpha1.ApplicationSetSpec{ + GoTemplate: true, + Template: v1alpha1.ApplicationSetTemplate{ + ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{ + Name: "prog-{{.environment}}", + Namespace: fixture.TestNamespace(), + Labels: map[string]string{ + "environment": "{{.environment}}", + }, + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "default", + Source: &v1alpha1.ApplicationSource{ + RepoURL: fixture.RepoURL(fixture.RepoURLTypeFile), + Path: "progressive-sync/{{.environment}}", + TargetRevision: "HEAD", + }, + Destination: v1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "prog-{{.environment}}", + }, + SyncPolicy: &v1alpha1.SyncPolicy{ + SyncOptions: v1alpha1.SyncOptions{"CreateNamespace=true"}, + }, + }, + }, + Generators: []v1alpha1.ApplicationSetGenerator{ + { + List: &v1alpha1.ListGenerator{ + Elements: []apiextensionsv1.JSON{ + // Empty Generator + }, + }, + }, + }, + Strategy: &v1alpha1.ApplicationSetStrategy{ + Type: "RollingSync", + RollingSync: &v1alpha1.ApplicationSetRolloutStrategy{ + Steps: generateStandardRolloutSyncSteps(), + }, + }, + }, +} + +var appSetWithMultipleAppsInEachStep = v1alpha1.ApplicationSet{ + ObjectMeta: metav1.ObjectMeta{ + Name: "progressive-sync-multi-apps", + }, + Spec: v1alpha1.ApplicationSetSpec{ + GoTemplate: true, + Template: v1alpha1.ApplicationSetTemplate{ + ApplicationSetTemplateMeta: v1alpha1.ApplicationSetTemplateMeta{ + Name: "prog-{{.name}}", + Namespace: fixture.TestNamespace(), + Labels: map[string]string{ + "environment": "{{.environment}}", + }, + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "default", + Source: &v1alpha1.ApplicationSource{ + RepoURL: fixture.RepoURL(fixture.RepoURLTypeFile), + Path: "progressive-sync/multiple-apps-in-step/{{.environment}}/{{.name}}", + TargetRevision: "HEAD", + }, + Destination: v1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: "prog-{{.name}}", + }, + SyncPolicy: &v1alpha1.SyncPolicy{ + SyncOptions: v1alpha1.SyncOptions{"CreateNamespace=true"}, + }, + }, + }, + Generators: []v1alpha1.ApplicationSetGenerator{ + { + List: &v1alpha1.ListGenerator{ + Elements: []apiextensionsv1.JSON{ + {Raw: []byte(`{"environment": "dev", "name": "sketch"}`)}, + {Raw: []byte(`{"environment": "dev", "name": "build"}`)}, + {Raw: []byte(`{"environment": "staging", "name": "verify"}`)}, + {Raw: []byte(`{"environment": "staging", "name": "validate"}`)}, + {Raw: []byte(`{"environment": "prod", "name": "ship"}`)}, + {Raw: []byte(`{"environment": "prod", "name": "run"}`)}, + }, + }, + }, + }, + Strategy: &v1alpha1.ApplicationSetStrategy{ + Type: "RollingSync", + RollingSync: &v1alpha1.ApplicationSetRolloutStrategy{ + Steps: generateStandardRolloutSyncSteps(), + }, + }, + }, +} + +func generateExpectedApp(prefix string, path string, name string, envVar string) v1alpha1.Application { + return v1alpha1.Application{ + TypeMeta: metav1.TypeMeta{ + Kind: "Application", + APIVersion: "argoproj.io/v1alpha1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: prefix + name, + Namespace: fixture.TestNamespace(), + Labels: map[string]string{ + "environment": envVar, + }, + Finalizers: []string{ + "resources-finalizer.argocd.argoproj.io", + }, + }, + Spec: v1alpha1.ApplicationSpec{ + Project: "default", + Source: &v1alpha1.ApplicationSource{ + RepoURL: fixture.RepoURL(fixture.RepoURLTypeFile), + Path: path + name, + TargetRevision: "HEAD", + }, + Destination: v1alpha1.ApplicationDestination{ + Server: "https://kubernetes.default.svc", + Namespace: prefix + name, + }, + }, + } +} + +func generateStandardRolloutSyncSteps() []v1alpha1.ApplicationSetRolloutStep { + return []v1alpha1.ApplicationSetRolloutStep{ + { + MatchExpressions: []v1alpha1.ApplicationMatchExpression{ + { + Key: "environment", + Operator: "In", + Values: []string{"dev"}, + }, + }, + }, + { + MatchExpressions: []v1alpha1.ApplicationMatchExpression{ + { + Key: "environment", + Operator: "In", + Values: []string{"staging"}, + }, + }, + }, + { + MatchExpressions: []v1alpha1.ApplicationMatchExpression{ + { + Key: "environment", + Operator: "In", + Values: []string{"prod"}, + }, + }, + }, + } +} diff --git a/test/e2e/applicationset_test.go b/test/e2e/applicationset_test.go index ac8eaf8f16..a0b906db66 100644 --- a/test/e2e/applicationset_test.go +++ b/test/e2e/applicationset_test.go @@ -15,7 +15,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" "github.com/argoproj/argo-cd/v3/common" "github.com/argoproj/argo-cd/v3/pkg/apiclient/applicationset" diff --git a/test/e2e/cli_test.go b/test/e2e/cli_test.go index 11a64506b7..5971e49ac6 100644 --- a/test/e2e/cli_test.go +++ b/test/e2e/cli_test.go @@ -5,8 +5,8 @@ import ( "path/filepath" "testing" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/test/e2e/cluster_objects_test.go b/test/e2e/cluster_objects_test.go index 7907836098..69e69aa778 100644 --- a/test/e2e/cluster_objects_test.go +++ b/test/e2e/cluster_objects_test.go @@ -3,8 +3,8 @@ package e2e import ( "testing" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/test/e2e/cluster_test.go b/test/e2e/cluster_test.go index 44a4c7d7fa..2dc632a05c 100644 --- a/test/e2e/cluster_test.go +++ b/test/e2e/cluster_test.go @@ -217,6 +217,32 @@ func TestClusterURLInRestAPI(t *testing.T) { assert.Equal(t, map[string]string{"test": "val"}, cluster.Labels) } +func TestClusterSkipReconcileAnnotation(t *testing.T) { + fixture.EnsureCleanState(t) + + clusterURL := url.QueryEscape(KubernetesInternalAPIServerAddr) + + var cluster Cluster + err := fixture.DoHttpJsonRequest("PUT", + fmt.Sprintf("/api/v1/clusters/%s?updatedFields=annotations", clusterURL), + &cluster, + fmt.Appendf(nil, `{"annotations":{%q:"true"}}`, "argocd.argoproj.io/skip-reconcile")...) + require.NoError(t, err) + assert.Equal(t, "true", cluster.Annotations["argocd.argoproj.io/skip-reconcile"]) + + var cluster2 Cluster + err = fixture.DoHttpJsonRequest("GET", "/api/v1/clusters/"+clusterURL, &cluster2) + require.NoError(t, err) + assert.Equal(t, "in-cluster", cluster2.Name) + assert.Equal(t, "true", cluster2.Annotations["argocd.argoproj.io/skip-reconcile"]) + + err = fixture.DoHttpJsonRequest("PUT", + fmt.Sprintf("/api/v1/clusters/%s?updatedFields=annotations", clusterURL), + &cluster, + []byte(`{"annotations":{}}`)...) + require.NoError(t, err) +} + func TestClusterDeleteDenied(t *testing.T) { ctx := accountFixture.Given(t) ctx.Name("test"). diff --git a/test/e2e/custom_tool_test.go b/test/e2e/custom_tool_test.go index f7591d7974..c385141ad4 100644 --- a/test/e2e/custom_tool_test.go +++ b/test/e2e/custom_tool_test.go @@ -6,8 +6,8 @@ import ( "strings" "testing" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/test/e2e/declarative_test.go b/test/e2e/declarative_test.go index 25d279c3ca..b2cc922c28 100644 --- a/test/e2e/declarative_test.go +++ b/test/e2e/declarative_test.go @@ -3,8 +3,8 @@ package e2e import ( "testing" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" . "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" . "github.com/argoproj/argo-cd/v3/test/e2e/fixture/app" diff --git a/test/e2e/deployment_test.go b/test/e2e/deployment_test.go index afdcaf218a..eb9ef7cffc 100644 --- a/test/e2e/deployment_test.go +++ b/test/e2e/deployment_test.go @@ -20,8 +20,8 @@ import ( "github.com/argoproj/argo-cd/v3/common" "github.com/argoproj/argo-cd/v3/util/clusterauth" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" . "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" . "github.com/argoproj/argo-cd/v3/test/e2e/fixture" diff --git a/test/e2e/diff_test.go b/test/e2e/diff_test.go index a7e65175a7..fb184a5a39 100644 --- a/test/e2e/diff_test.go +++ b/test/e2e/diff_test.go @@ -3,7 +3,7 @@ package e2e import ( "testing" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" . "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" . "github.com/argoproj/argo-cd/v3/test/e2e/fixture/app" diff --git a/test/e2e/fixture/admin/utils/backup.go b/test/e2e/fixture/admin/utils/backup.go index 9af8f29ce0..b5150bc678 100644 --- a/test/e2e/fixture/admin/utils/backup.go +++ b/test/e2e/fixture/admin/utils/backup.go @@ -4,7 +4,7 @@ import ( "fmt" "strings" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" yaml "gopkg.in/yaml.v3" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -13,9 +13,9 @@ type ExportedResources []unstructured.Unstructured func GetExportedResourcesFromOutput(output string) (ExportedResources, error) { var resources []unstructured.Unstructured - docs := strings.Split(output, "\n---\n") + docs := strings.SplitSeq(output, "\n---\n") - for _, doc := range docs { + for doc := range docs { doc = strings.TrimSpace(doc) if doc == "" { continue diff --git a/test/e2e/fixture/app/consequences.go b/test/e2e/fixture/app/consequences.go index 414136ec0a..1a95895e44 100644 --- a/test/e2e/fixture/app/consequences.go +++ b/test/e2e/fixture/app/consequences.go @@ -4,7 +4,7 @@ import ( "context" "time" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" log "github.com/sirupsen/logrus" "github.com/stretchr/testify/require" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/test/e2e/fixture/app/expectation.go b/test/e2e/fixture/app/expectation.go index 7e0d6839b2..bf3179737d 100644 --- a/test/e2e/fixture/app/expectation.go +++ b/test/e2e/fixture/app/expectation.go @@ -7,8 +7,8 @@ import ( "regexp" "strings" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/test/e2e/fixture/applicationsets/expectation.go b/test/e2e/fixture/applicationsets/expectation.go index 14b57a9495..aeff4f4002 100644 --- a/test/e2e/fixture/applicationsets/expectation.go +++ b/test/e2e/fixture/applicationsets/expectation.go @@ -3,11 +3,12 @@ package applicationsets import ( "fmt" "reflect" + "slices" "strings" "testing" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -243,3 +244,95 @@ func appsAreEqual(one v1alpha1.Application, two v1alpha1.Application) bool { func conditionsAreEqual(one, two *[]v1alpha1.ApplicationSetCondition) bool { return reflect.DeepEqual(filterConditionFields(one), filterConditionFields(two)) } + +// CheckProgressiveSyncStatusCodeOfApplications checks whether the progressive sync status codes of applications in ApplicationSetApplicationStatus +// match the expected values. +func CheckProgressiveSyncStatusCodeOfApplications(expectedStatuses map[string]v1alpha1.ApplicationSetApplicationStatus) Expectation { + return func(c *Consequences) (state, string) { + appSet := c.applicationSet(c.context.GetName()) + if appSet == nil { + return pending, fmt.Sprintf("no ApplicationSet found with name '%s'", c.context.GetName()) + } + if appSet.Status.ApplicationStatus == nil { + return pending, fmt.Sprintf("no application status found for ApplicationSet '%s'", c.context.GetName()) + } + for _, appStatus := range appSet.Status.ApplicationStatus { + expectedstatus, found := expectedStatuses[appStatus.Application] + if !found { + continue // Appset has more apps than expected - not ideal + } + if appStatus.Status != expectedstatus.Status { + return pending, fmt.Sprintf("for application '%s': expected status '%s' but got '%s'", expectedstatus.Application, expectedstatus.Status, appStatus.Status) + } + } + return succeeded, fmt.Sprintf("all applications in ApplicationSet's: '%s' Application Status have expected statuses ", c.context.GetName()) + } +} + +// CheckApplicationInRightSteps checks that a step contains exactly the expected applications. +func CheckApplicationInRightSteps(step string, expectedApps []string) Expectation { + return func(c *Consequences) (state, string) { + appSet := c.applicationSet(c.context.GetName()) + if appSet == nil { + return pending, fmt.Sprintf("no application set found with name '%s'", c.context.GetName()) + } + if appSet.Status.ApplicationStatus == nil { + return pending, fmt.Sprintf("no application status found for ApplicationSet '%s'", c.context.GetName()) + } + var stepApps []string + for _, appStatus := range appSet.Status.ApplicationStatus { + if appStatus.Step == step { + stepApps = append(stepApps, appStatus.Application) + } + } + if len(stepApps) != len(expectedApps) { + return pending, fmt.Sprintf("expected %d apps in step '%s' for appset '%s', but got %d", len(expectedApps), step, c.context.GetName(), len(stepApps)) + } + // Sort before comparing to avoid flakiness + slices.Sort(stepApps) + slices.Sort(expectedApps) + if !slices.Equal(stepApps, expectedApps) { + return pending, fmt.Sprintf("In step '%s', expected apps: '%s', but got: '%s'", step, expectedApps, stepApps) + } + return succeeded, fmt.Sprintf("Step '%s' has expected apps: '%s'", step, expectedApps) + } +} + +// ApplicationSetDoesNotHaveApplicationStatus checks that ApplicationSet.Status.ApplicationStatus is nil +func ApplicationSetDoesNotHaveApplicationStatus() Expectation { + return func(c *Consequences) (state, string) { + appSet := c.applicationSet(c.context.GetName()) + if appSet == nil { + return pending, fmt.Sprintf("no application set found with name '%s'", c.context.GetName()) + } + if appSet.Status.ApplicationStatus != nil { + return failed, fmt.Sprintf("application set '%s' has ApplicationStatus when not expected", c.context.GetName()) + } + return succeeded, fmt.Sprintf("Application '%s' does not have ApplicationStatus", c.context.GetName()) + } +} + +// ApplicationSetHasApplicationStatus checks that ApplicationSet has expected number of applications in its status +// and all have progressive sync status Healthy. +func ApplicationSetHasApplicationStatus(expectedApplicationStatusLength int) Expectation { + return func(c *Consequences) (state, string) { + appSet := c.applicationSet(c.context.GetName()) + if appSet == nil { + return pending, fmt.Sprintf("no application set found with name '%s'", c.context.GetName()) + } + if appSet.Status.ApplicationStatus == nil { + return pending, fmt.Sprintf("application set '%s' has no ApplicationStatus when '%d' expected", c.context.GetName(), expectedApplicationStatusLength) + } + + if len(appSet.Status.ApplicationStatus) != expectedApplicationStatusLength { + return failed, fmt.Sprintf("applicationset has '%d' applicationstatus, when '%d' are expected", len(appSet.Status.ApplicationStatus), expectedApplicationStatusLength) + } + + for _, appStatus := range appSet.Status.ApplicationStatus { + if appStatus.Status != v1alpha1.ProgressiveSyncHealthy { + return pending, fmt.Sprintf("Application '%s' not Healthy", appStatus.Application) + } + } + return succeeded, fmt.Sprintf("All Applications in ApplicationSet: '%s' are Healthy ", c.context.GetName()) + } +} diff --git a/test/e2e/fixture/fixture.go b/test/e2e/fixture/fixture.go index 27905bdec8..698be50fda 100644 --- a/test/e2e/fixture/fixture.go +++ b/test/e2e/fixture/fixture.go @@ -535,14 +535,14 @@ func SetAccounts(accounts map[string][]string) error { func SetPermissions(permissions []ACL, username string, roleName string) error { return updateRBACConfigMap(func(cm *corev1.ConfigMap) error { - var aclstr string + var aclstr strings.Builder for _, permission := range permissions { - aclstr += fmt.Sprintf("p, role:%s, %s, %s, %s, allow \n", roleName, permission.Resource, permission.Action, permission.Scope) + aclstr.WriteString(fmt.Sprintf("p, role:%s, %s, %s, %s, allow \n", roleName, permission.Resource, permission.Action, permission.Scope)) } - aclstr += fmt.Sprintf("g, %s, role:%s", username, roleName) - cm.Data["policy.csv"] = aclstr + aclstr.WriteString(fmt.Sprintf("g, %s, role:%s", username, roleName)) + cm.Data["policy.csv"] = aclstr.String() return nil }) @@ -987,7 +987,7 @@ func EnsureCleanState(t *testing.T, opts ...TestOption) *TestState { func RunCliWithRetry(maxRetries int, args ...string) (string, error) { var out string var err error - for i := 0; i < maxRetries; i++ { + for range maxRetries { out, err = RunCli(args...) if err == nil { break diff --git a/test/e2e/fixture/versions.go b/test/e2e/fixture/versions.go index fc6269e8b4..bb488fb7a9 100644 --- a/test/e2e/fixture/versions.go +++ b/test/e2e/fixture/versions.go @@ -6,8 +6,8 @@ import ( "strings" "testing" - "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/require" "github.com/argoproj/argo-cd/v3/util/argo" diff --git a/test/e2e/graceful_restart_test.go b/test/e2e/graceful_restart_test.go index 5f818c1c7e..de34e00063 100644 --- a/test/e2e/graceful_restart_test.go +++ b/test/e2e/graceful_restart_test.go @@ -38,7 +38,7 @@ func TestAPIServerGracefulRestart(t *testing.T) { require.NoError(t, fixture.SetParamInSettingConfigMap("url", "http://test-api-server-graceful-restart")) // Wait for ~5 seconds - for i := 0; i < 50; i++ { + for range 50 { checkHealth(t, false) time.Sleep(100 * time.Millisecond) } diff --git a/test/e2e/helm_test.go b/test/e2e/helm_test.go index e9353543cc..1391c0c962 100644 --- a/test/e2e/helm_test.go +++ b/test/e2e/helm_test.go @@ -8,8 +8,8 @@ import ( "strings" "testing" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" diff --git a/test/e2e/hook_test.go b/test/e2e/hook_test.go index 8c297d3bfa..ebe0462284 100644 --- a/test/e2e/hook_test.go +++ b/test/e2e/hook_test.go @@ -12,9 +12,9 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/controller-runtime/pkg/controller/controllerutil" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/sync/hook" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/hook" . "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" . "github.com/argoproj/argo-cd/v3/test/e2e/fixture" diff --git a/test/e2e/hydrator_test.go b/test/e2e/hydrator_test.go index 3815af7b41..cf25b7dd3f 100644 --- a/test/e2e/hydrator_test.go +++ b/test/e2e/hydrator_test.go @@ -9,7 +9,7 @@ import ( "github.com/argoproj/argo-cd/v3/test/e2e/fixture" . "github.com/argoproj/argo-cd/v3/test/e2e/fixture/app" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" ) func TestSimpleHydrator(t *testing.T) { diff --git a/test/e2e/jsonnet_test.go b/test/e2e/jsonnet_test.go index b0e57a93c3..bfbba15581 100644 --- a/test/e2e/jsonnet_test.go +++ b/test/e2e/jsonnet_test.go @@ -3,8 +3,8 @@ package e2e import ( "testing" - . "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/test/e2e/kustomize_test.go b/test/e2e/kustomize_test.go index efbbeba70b..f347b2519f 100644 --- a/test/e2e/kustomize_test.go +++ b/test/e2e/kustomize_test.go @@ -4,8 +4,8 @@ import ( "strconv" "testing" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" diff --git a/test/e2e/managed_by_url_test.go b/test/e2e/managed_by_url_test.go index 9b3a68ce0f..2ab26a36e0 100644 --- a/test/e2e/managed_by_url_test.go +++ b/test/e2e/managed_by_url_test.go @@ -31,7 +31,7 @@ func TestManagedByURLWithAnnotation(t *testing.T) { CreateApp(). And(func() { // Add managed-by-url annotation to the application with retry logic - for i := 0; i < 3; i++ { + for i := range 3 { appObj, err := fixture.AppClientset.ArgoprojV1alpha1().Applications(fixture.ArgoCDNamespace).Get(t.Context(), ctx.GetName(), metav1.GetOptions{}) require.NoError(t, err) diff --git a/test/e2e/mask_secret_values_test.go b/test/e2e/mask_secret_values_test.go index 2be5677adc..262272b9e7 100644 --- a/test/e2e/mask_secret_values_test.go +++ b/test/e2e/mask_secret_values_test.go @@ -6,8 +6,8 @@ import ( "github.com/stretchr/testify/assert" - "github.com/argoproj/gitops-engine/pkg/health" - "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" . "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" . "github.com/argoproj/argo-cd/v3/test/e2e/fixture" diff --git a/test/e2e/multiarch-container/Dockerfile b/test/e2e/multiarch-container/Dockerfile index 2e5b69825a..fa74469715 100644 --- a/test/e2e/multiarch-container/Dockerfile +++ b/test/e2e/multiarch-container/Dockerfile @@ -1,2 +1,2 @@ -FROM docker.io/library/busybox@sha256:e226d6308690dbe282443c8c7e57365c96b5228f0fe7f40731b5d84d37a06839 +FROM docker.io/library/busybox@sha256:b3255e7dfbcd10cb367af0d409747d511aeb66dfac98cf30e97e87e4207dd76f CMD exec sh -c "trap : TERM INT; echo 'Hi' && tail -f /dev/null" diff --git a/test/e2e/oci_test.go b/test/e2e/oci_test.go index 7703ff0e18..5bc0ac19c0 100644 --- a/test/e2e/oci_test.go +++ b/test/e2e/oci_test.go @@ -3,8 +3,8 @@ package e2e import ( "testing" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" . "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" "github.com/argoproj/argo-cd/v3/test/e2e/fixture" diff --git a/test/e2e/pruning_required_test.go b/test/e2e/pruning_required_test.go index 22dbdf9e2e..00d4367ad2 100644 --- a/test/e2e/pruning_required_test.go +++ b/test/e2e/pruning_required_test.go @@ -3,7 +3,7 @@ package e2e import ( "testing" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" . "github.com/argoproj/argo-cd/v3/test/e2e/fixture/app" ) diff --git a/test/e2e/selective_sync_test.go b/test/e2e/selective_sync_test.go index a9faaf011c..750b38d41c 100644 --- a/test/e2e/selective_sync_test.go +++ b/test/e2e/selective_sync_test.go @@ -5,8 +5,8 @@ import ( "strings" "testing" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/require" . "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" diff --git a/test/e2e/ssh_repo_test.go b/test/e2e/ssh_repo_test.go index a0c5c5519c..9c714d49f5 100644 --- a/test/e2e/ssh_repo_test.go +++ b/test/e2e/ssh_repo_test.go @@ -3,7 +3,7 @@ package e2e import ( "testing" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/argoproj/argo-cd/v3/test/e2e/fixture" . "github.com/argoproj/argo-cd/v3/test/e2e/fixture/app" diff --git a/test/e2e/sync_options_test.go b/test/e2e/sync_options_test.go index 83b5a3ea29..485b541953 100644 --- a/test/e2e/sync_options_test.go +++ b/test/e2e/sync_options_test.go @@ -5,8 +5,8 @@ import ( "os" "testing" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" diff --git a/test/e2e/sync_waves_test.go b/test/e2e/sync_waves_test.go index 9c407be648..3c82de949c 100644 --- a/test/e2e/sync_waves_test.go +++ b/test/e2e/sync_waves_test.go @@ -4,8 +4,8 @@ import ( "testing" "time" - "github.com/argoproj/gitops-engine/pkg/health" - . "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" "github.com/stretchr/testify/require" corev1 "k8s.io/api/core/v1" diff --git a/test/e2e/sync_with_impersonate_test.go b/test/e2e/sync_with_impersonate_test.go index e82f744e61..2e69f14e2a 100644 --- a/test/e2e/sync_with_impersonate_test.go +++ b/test/e2e/sync_with_impersonate_test.go @@ -194,7 +194,7 @@ func TestSyncWithValidSAButDisallowedDestination(t *testing.T) { When(). And(func() { // Patch destination to disallow target destination namespace - patch := []byte(fmt.Sprintf(`{"spec": {"destinations": [{"namespace": %q}]}}`, "!"+appCtx.DeploymentNamespace())) + patch := fmt.Appendf(nil, `{"spec": {"destinations": [{"namespace": %q}]}}`, "!"+appCtx.DeploymentNamespace()) _, err := fixture.AppClientset.ArgoprojV1alpha1().AppProjects(fixture.TestNamespace()).Patch(t.Context(), projectCtx.GetName(), types.MergePatchType, patch, metav1.PatchOptions{}) require.NoError(t, err) diff --git a/test/e2e/testdata/progressive-sync/dev/deployment.yaml b/test/e2e/testdata/progressive-sync/dev/deployment.yaml new file mode 100644 index 0000000000..7650850028 --- /dev/null +++ b/test/e2e/testdata/progressive-sync/dev/deployment.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dev-app +spec: + replicas: 1 + progressDeadlineSeconds: 10 + selector: + matchLabels: + app: dev + template: + metadata: + labels: + app: dev + spec: + containers: + - name: main + command: ["sleep", "999"] + image: alpine:invalid! # Bad image - will be stuck Progressing + imagePullPolicy: IfNotPresent \ No newline at end of file diff --git a/test/e2e/testdata/progressive-sync/multiple-apps-in-step/dev/build/deployment.yaml b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/dev/build/deployment.yaml new file mode 100644 index 0000000000..daf4351661 --- /dev/null +++ b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/dev/build/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: guestbook-ui +spec: + replicas: 0 + revisionHistoryLimit: 3 + selector: + matchLabels: + app: guestbook-ui + template: + metadata: + labels: + app: guestbook-ui + spec: + containers: + - image: quay.io/argoprojlabs/argocd-e2e-container:0.2 + imagePullPolicy: IfNotPresent + name: guestbook-ui + ports: + - containerPort: 80 \ No newline at end of file diff --git a/test/e2e/testdata/progressive-sync/multiple-apps-in-step/dev/sketch/deployment.yaml b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/dev/sketch/deployment.yaml new file mode 100644 index 0000000000..daf4351661 --- /dev/null +++ b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/dev/sketch/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: guestbook-ui +spec: + replicas: 0 + revisionHistoryLimit: 3 + selector: + matchLabels: + app: guestbook-ui + template: + metadata: + labels: + app: guestbook-ui + spec: + containers: + - image: quay.io/argoprojlabs/argocd-e2e-container:0.2 + imagePullPolicy: IfNotPresent + name: guestbook-ui + ports: + - containerPort: 80 \ No newline at end of file diff --git a/test/e2e/testdata/progressive-sync/multiple-apps-in-step/prod/run/deployment.yaml b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/prod/run/deployment.yaml new file mode 100644 index 0000000000..daf4351661 --- /dev/null +++ b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/prod/run/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: guestbook-ui +spec: + replicas: 0 + revisionHistoryLimit: 3 + selector: + matchLabels: + app: guestbook-ui + template: + metadata: + labels: + app: guestbook-ui + spec: + containers: + - image: quay.io/argoprojlabs/argocd-e2e-container:0.2 + imagePullPolicy: IfNotPresent + name: guestbook-ui + ports: + - containerPort: 80 \ No newline at end of file diff --git a/test/e2e/testdata/progressive-sync/multiple-apps-in-step/prod/ship/deployment.yaml b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/prod/ship/deployment.yaml new file mode 100644 index 0000000000..daf4351661 --- /dev/null +++ b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/prod/ship/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: guestbook-ui +spec: + replicas: 0 + revisionHistoryLimit: 3 + selector: + matchLabels: + app: guestbook-ui + template: + metadata: + labels: + app: guestbook-ui + spec: + containers: + - image: quay.io/argoprojlabs/argocd-e2e-container:0.2 + imagePullPolicy: IfNotPresent + name: guestbook-ui + ports: + - containerPort: 80 \ No newline at end of file diff --git a/test/e2e/testdata/progressive-sync/multiple-apps-in-step/staging/validate/deployment.yaml b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/staging/validate/deployment.yaml new file mode 100644 index 0000000000..daf4351661 --- /dev/null +++ b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/staging/validate/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: guestbook-ui +spec: + replicas: 0 + revisionHistoryLimit: 3 + selector: + matchLabels: + app: guestbook-ui + template: + metadata: + labels: + app: guestbook-ui + spec: + containers: + - image: quay.io/argoprojlabs/argocd-e2e-container:0.2 + imagePullPolicy: IfNotPresent + name: guestbook-ui + ports: + - containerPort: 80 \ No newline at end of file diff --git a/test/e2e/testdata/progressive-sync/multiple-apps-in-step/staging/verify/deployment.yaml b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/staging/verify/deployment.yaml new file mode 100644 index 0000000000..daf4351661 --- /dev/null +++ b/test/e2e/testdata/progressive-sync/multiple-apps-in-step/staging/verify/deployment.yaml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: guestbook-ui +spec: + replicas: 0 + revisionHistoryLimit: 3 + selector: + matchLabels: + app: guestbook-ui + template: + metadata: + labels: + app: guestbook-ui + spec: + containers: + - image: quay.io/argoprojlabs/argocd-e2e-container:0.2 + imagePullPolicy: IfNotPresent + name: guestbook-ui + ports: + - containerPort: 80 \ No newline at end of file diff --git a/test/e2e/testdata/progressive-sync/prod/deployment.yaml b/test/e2e/testdata/progressive-sync/prod/deployment.yaml new file mode 100644 index 0000000000..7650850028 --- /dev/null +++ b/test/e2e/testdata/progressive-sync/prod/deployment.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dev-app +spec: + replicas: 1 + progressDeadlineSeconds: 10 + selector: + matchLabels: + app: dev + template: + metadata: + labels: + app: dev + spec: + containers: + - name: main + command: ["sleep", "999"] + image: alpine:invalid! # Bad image - will be stuck Progressing + imagePullPolicy: IfNotPresent \ No newline at end of file diff --git a/test/e2e/testdata/progressive-sync/staging/deployment.yaml b/test/e2e/testdata/progressive-sync/staging/deployment.yaml new file mode 100644 index 0000000000..7650850028 --- /dev/null +++ b/test/e2e/testdata/progressive-sync/staging/deployment.yaml @@ -0,0 +1,20 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dev-app +spec: + replicas: 1 + progressDeadlineSeconds: 10 + selector: + matchLabels: + app: dev + template: + metadata: + labels: + app: dev + spec: + containers: + - name: main + command: ["sleep", "999"] + image: alpine:invalid! # Bad image - will be stuck Progressing + imagePullPolicy: IfNotPresent \ No newline at end of file diff --git a/test/remote/Dockerfile b/test/remote/Dockerfile index 2ab2f53442..5362695ab0 100644 --- a/test/remote/Dockerfile +++ b/test/remote/Dockerfile @@ -1,6 +1,6 @@ -ARG BASE_IMAGE=docker.io/library/ubuntu:25.10@sha256:5922638447b1e3ba114332c896a2c7288c876bb94adec923d70d58a17d2fec5e +ARG BASE_IMAGE=docker.io/library/ubuntu:25.10@sha256:4a9232cc47bf99defcc8860ef6222c99773330367fcecbf21ba2edb0b810a31e -FROM docker.io/library/golang:1.25.5@sha256:8bbd14091f2c61916134fa6aeb8f76b18693fcb29a39ec6d8be9242c0a7e9260 AS go +FROM docker.io/library/golang:1.26.0@sha256:c83e68f3ebb6943a2904fa66348867d108119890a2c6a2e6f07b38d0eb6c25c5 AS go RUN go install github.com/mattn/goreman@latest && \ go install github.com/kisielk/godepgraph@latest diff --git a/test/testdata.go b/test/testdata.go index bf85f2fa89..90875213d5 100644 --- a/test/testdata.go +++ b/test/testdata.go @@ -4,7 +4,7 @@ import ( "context" "github.com/alicebob/miniredis/v2" - "github.com/argoproj/gitops-engine/pkg/utils/testing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" "github.com/redis/go-redis/v9" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" diff --git a/ui-test/yarn.lock b/ui-test/yarn.lock index 9ae26b9945..02075cd34a 100644 --- a/ui-test/yarn.lock +++ b/ui-test/yarn.lock @@ -173,12 +173,12 @@ available-typed-arrays@^1.0.2: array-filter "^1.0.0" axios@^1.7.4: - version "1.12.2" - resolved "https://registry.yarnpkg.com/axios/-/axios-1.12.2.tgz#6c307390136cf7a2278d09cec63b136dfc6e6da7" - integrity sha512-vMJzPewAlRyOgxV2dU0Cuz2O8zzzx9VYtbJOaBgXFeLc4IV/Eg50n4LowmehOOR61S8ZMpc2K5Sa7g6A4jfkUw== + version "1.13.5" + resolved "https://registry.yarnpkg.com/axios/-/axios-1.13.5.tgz#5e464688fa127e11a660a2c49441c009f6567a43" + integrity sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q== dependencies: - follow-redirects "^1.15.6" - form-data "^4.0.4" + follow-redirects "^1.15.11" + form-data "^4.0.5" proxy-from-env "^1.1.0" balanced-match@^1.0.0: @@ -611,10 +611,10 @@ flat@^5.0.2: resolved "https://registry.npmjs.org/flat/-/flat-5.0.2.tgz" integrity sha512-b6suED+5/3rTpUBdG1gupIl8MPFCAMA0QXwmljLhvCUKcUvdE4gWky9zpuGCcXHOsz4J9wPGNWq6OKpmIzz3hQ== -follow-redirects@^1.15.6: - version "1.15.6" - resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.6.tgz#7f815c0cda4249c74ff09e95ef97c23b5fd0399b" - integrity sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA== +follow-redirects@^1.15.11: + version "1.15.11" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.11.tgz#777d73d72a92f8ec4d2e410eb47352a56b8e8340" + integrity sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ== foreach@^2.0.5: version "2.0.5" @@ -629,10 +629,10 @@ foreground-child@^3.1.0: cross-spawn "^7.0.0" signal-exit "^4.0.1" -form-data@^4.0.4: - version "4.0.4" - resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.4.tgz#784cdcce0669a9d68e94d11ac4eea98088edd2c4" - integrity sha512-KrGhL9Q4zjj0kiUt5OO4Mr/A/jlI2jDYs5eHBpYHPcBEVSiipAvn2Ko2HnPe20rmcuuvMHNdZFp+4IlGTMF0Ow== +form-data@^4.0.5: + version "4.0.5" + resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.5.tgz#b49e48858045ff4cbf6b03e1805cebcad3679053" + integrity sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w== dependencies: asynckit "^0.4.0" combined-stream "^1.0.8" diff --git a/ui/src/app/app.tsx b/ui/src/app/app.tsx index 54434bc15e..9a75b51ebb 100644 --- a/ui/src/app/app.tsx +++ b/ui/src/app/app.tsx @@ -32,6 +32,8 @@ type Routes = {[path: string]: {component: React.ComponentType { +interface ApplicationConditionsProps { + conditions: models.ApplicationCondition[]; + title?: string; +} + +interface ApplicationSetConditionsProps { + conditions: models.ApplicationSetCondition[]; + title?: string; +} + +export const ApplicationConditions = ({conditions, title = 'Application conditions'}: ApplicationConditionsProps) => { return (
    -

    Application conditions

    +

    {title}

    {(conditions.length === 0 &&

    Application is healthy

    ) || (
    {conditions.map((condition, index) => ( @@ -30,3 +40,33 @@ export const ApplicationConditions = ({conditions}: {conditions: models.Applicat
    ); }; + +export const ApplicationSetConditions = ({conditions, title = 'ApplicationSet conditions'}: ApplicationSetConditionsProps) => { + return ( +
    +

    {title}

    + {(conditions.length === 0 &&

    ApplicationSet is healthy

    ) || ( +
    + {conditions.map((condition, index) => ( +
    +
    +
    + {condition.type} + {condition.status && ({condition.status})} +
    +
    + {condition.message} +
    +
    + +
    +
    +
    + ))} +
    + )} +
    + ); +}; diff --git a/ui/src/app/applications/components/application-details/application-details.tsx b/ui/src/app/applications/components/application-details/application-details.tsx index 4f478d2ba1..c141b3efe2 100644 --- a/ui/src/app/applications/components/application-details/application-details.tsx +++ b/ui/src/app/applications/components/application-details/application-details.tsx @@ -12,14 +12,17 @@ import {AppContext, Context, ContextApis} from '../../../shared/context'; import * as appModels from '../../../shared/models'; import {AppDetailsPreferences, AppsDetailsViewKey, AppsDetailsViewType, services} from '../../../shared/services'; -import {ApplicationConditions} from '../application-conditions/application-conditions'; +import {ApplicationConditions, ApplicationSetConditions} from '../application-conditions/application-conditions'; import {ApplicationDeploymentHistory} from '../application-deployment-history/application-deployment-history'; import {ApplicationOperationState} from '../application-operation-state/application-operation-state'; import {PodGroupType, PodView} from '../application-pod-view/pod-view'; import {ApplicationResourceTree, ResourceTreeNode} from '../application-resource-tree/application-resource-tree'; import {ApplicationStatusPanel} from '../application-status-panel/application-status-panel'; +import {ApplicationSetStatusPanel} from '../application-status-panel/appset-status-panel'; import {ApplicationSyncPanel} from '../application-sync-panel/application-sync-panel'; +import {isApp} from '../utils'; import {ResourceDetails} from '../resource-details/resource-details'; +import {AppSetResourceDetails} from '../resource-details/appset-resource-details'; import * as AppUtils from '../utils'; import {ApplicationResourceList} from './application-resource-list'; import {Filters, FiltersProps} from './application-resource-filter'; @@ -647,8 +650,9 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat }) ) }> - {({application, tree, pref}: {application: appModels.Application; tree: appModels.ApplicationTree; pref: AppDetailsPreferences}) => { + {({application, tree, pref}: {application: appModels.AbstractApplication; tree: appModels.ApplicationTree; pref: AppDetailsPreferences}) => { tree.nodes = tree.nodes || []; + const isApplication = isApp(application); const treeFilter = getTreeFilter(pref.resourceFilter); const setFilter = (items: string[]) => { appContext.navigation.goto('.', {resource: items.join(',')}, {replace: true}); @@ -656,20 +660,36 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat }; const clearFilter = () => setFilter([]); const refreshing = application.metadata.annotations && application.metadata.annotations[appModels.AnnotationRefreshKey]; - const appNodesByName = groupAppNodesByKey(application, tree); + const appNodesByName = isApplication ? groupAppNodesByKey(application as appModels.Application, tree) : new Map(); + // For ApplicationSets, add the appset itself to the map + if (!isApplication) { + const appSetKey = AppUtils.nodeKey({ + group: 'argoproj.io', + kind: application.kind, + name: application.metadata.name, + namespace: application.metadata.namespace + }); + appNodesByName.set(appSetKey, application); + // Also add tree nodes for ApplicationSets + tree.nodes.forEach(node => appNodesByName.set(AppUtils.nodeKey(node), node)); + } const selectedItem = (selectedNodeKey && appNodesByName.get(selectedNodeKey)) || null; const isAppSelected = selectedItem === application; const selectedNode = !isAppSelected && (selectedItem as appModels.ResourceNode); - const operationState = application.status.operationState; - const hydrateOperationState = application.status.sourceHydrator.currentOperation; - const conditions = application.status.conditions || []; + const operationState = isApplication ? (application as appModels.Application).status.operationState : undefined; + const hydrateOperationState = isApplication ? (application as appModels.Application).status.sourceHydrator?.currentOperation : undefined; + const conditions = application.status?.conditions || []; const syncResourceKey = new URLSearchParams(props.history.location.search).get('deploy'); - const tab = new URLSearchParams(props.history.location.search).get('tab'); - const source = getAppDefaultSource(application); + const source = isApplication ? getAppDefaultSource(application as appModels.Application) : undefined; const showToolTip = pref?.userHelpTipMsgs.find(usrMsg => usrMsg.appName === application.metadata.name); const resourceNodes = (): any[] => { + if (!isApplication) { + // For ApplicationSets, use tree nodes directly + return tree.nodes.map(node => ({...node, orphaned: false})); + } + const app = application as appModels.Application; const statusByKey = new Map(); - application.status.resources.forEach(res => statusByKey.set(AppUtils.nodeKey(res), res)); + app.status.resources.forEach(res => statusByKey.set(AppUtils.nodeKey(res), res)); const resources = new Map(); tree.nodes .map(node => ({...node, orphaned: false})) @@ -705,6 +725,63 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat : [] })); }; + + // Helper to get ApplicationResourceTree props based on resource type + const getResourceTreeProps = () => { + const commonProps = { + nodeFilter: (node: ResourceTreeNode) => filterTreeNode(node, treeFilter), + selectedNodeFullName: selectedNodeKey, + showCompactNodes: pref.groupNodes, + userMsgs: pref.userHelpTipMsgs, + tree, + onClearFilter: clearFilter, + onGroupdNodeClick: (nodeIds: string[]) => openGroupNodeDetails(nodeIds), + zoom: pref.zoom, + appContext: {...appContext, apis: appContext} as unknown as AppContext, + nameDirection: state.truncateNameOnRight, + nameWrap: state.showFullNodeName, + filters: pref.resourceFilter, + setTreeFilterGraph: setFilterGraph, + updateUsrHelpTipMsgs: updateHelpTipState, + setShowCompactNodes, + setNodeExpansion: (node: string, isExpanded: boolean) => setNodeExpansion(node, isExpanded), + getNodeExpansion: (node: string) => getNodeExpansion(node) + }; + + if (isApplication) { + return { + ...commonProps, + onNodeClick: (fullName: string) => selectNode(fullName), + nodeMenu: (node: ResourceTreeNode) => + AppUtils.renderResourceMenu(node, application as appModels.Application, tree, appContext, appChanged.current, () => + getApplicationActionMenu(application as appModels.Application, false) + ), + app: application as appModels.Application, + showOrphanedResources: pref.orphanedResources, + useNetworkingHierarchy: pref.view === 'network', + podGroupCount: pref.podGroupCount + }; + } else { + return { + ...commonProps, + onNodeClick: (fullName: string) => { + // For ApplicationSets, navigate to Application details if clicking an Application node + const parts = fullName.split('/'); + const [group, kind, namespace, name] = parts; + if (group === 'argoproj.io' && kind === 'Application' && namespace && name) { + appContext.navigation.goto(`/applications/${namespace}/${name}`); + } else { + selectNode(fullName); + } + }, + app: application, + showOrphanedResources: false, + useNetworkingHierarchy: false, + podGroupCount: 0 + }; + } + }; + const {Tree, Pods, Network, List} = AppsDetailsViewKey; const zoomNum = (pref.zoom * 100).toFixed(0); const setZoom = (s: number) => { @@ -759,7 +836,7 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat }); setState(prevState => ({...prevState, collapsedNodes: collapsedNodesList})); } else { - const managedKeys = new Set(application.status.resources.map(AppUtils.nodeKey)); + const managedKeys = isApplication ? new Set((application as appModels.Application).status.resources.map(AppUtils.nodeKey)) : new Set(); nodes.forEach(node => { if (!((node.parentRefs || []).length === 0 || managedKeys.has(AppUtils.nodeKey(node)))) { node.parentRefs.forEach(parent => { @@ -784,9 +861,9 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat const activeStatusExt = state.statusExtensionsMap[selectedExtension]; const activeTopBarActionMenuExt = state.topBarActionMenuExtsMap[selectedExtension]; - if (state.extensionsMap[pref.view] != null) { + if (isApplication && state.extensionsMap[pref.view] != null) { const extension = state.extensionsMap[pref.view]; - if (!extension.shouldDisplay(application)) { + if (!extension.shouldDisplay(application as appModels.Application)) { appContext.navigation.goto('.', {view: Tree}); } } @@ -799,16 +876,27 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat topBarTitle={getPageTitle(pref.view)} toolbar={{ breadcrumbs: [ - {title: 'Applications', path: '/applications'}, + { + title: isApplication ? 'Applications' : 'ApplicationSets', + path: isApplication ? '/applications' : '/applicationsets' + }, {title: } ], actionMenu: { - items: [ - ...getApplicationActionMenu(application, true), - ...(state.topBarActionMenuExts - ?.filter(ext => ext.shouldDisplay?.(application)) - .map(ext => renderActionMenuItem(ext, tree, application, setExtensionPanelVisible)) || []) - ] + items: isApplication + ? [ + ...getApplicationActionMenu(application as appModels.Application, true), + ...(state.topBarActionMenuExts + ?.filter(ext => ext.shouldDisplay?.(application as appModels.Application)) + .map(ext => renderActionMenuItem(ext, tree, application as appModels.Application, setExtensionPanelVisible)) || []) + ] + : [ + { + title: 'AppSet Details', + iconClassName: 'fa fa-info-circle', + action: () => selectNode(appFullName) + } + ] }, tools: ( @@ -821,22 +909,26 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat services.viewPreferences.updatePreferences({appDetails: {...pref, view: Tree}}); }} /> - { - appContext.navigation.goto('.', {view: Pods}); - services.viewPreferences.updatePreferences({appDetails: {...pref, view: Pods}}); - }} - /> - { - appContext.navigation.goto('.', {view: Network}); - services.viewPreferences.updatePreferences({appDetails: {...pref, view: Network}}); - }} - /> + {isApplication && ( + <> + { + appContext.navigation.goto('.', {view: Pods}); + services.viewPreferences.updatePreferences({appDetails: {...pref, view: Pods}}); + }} + /> + { + appContext.navigation.goto('.', {view: Network}); + services.viewPreferences.updatePreferences({appDetails: {...pref, view: Network}}); + }} + /> + + )} - {state.extensions && + {isApplication && + state.extensions && (state.extensions || []) - .filter(ext => ext.shouldDisplay(application)) + .filter(ext => ext.shouldDisplay(application as appModels.Application)) .map(ext => (
    - selectNode(appFullName, 0, 'diff')} - showOperation={() => setOperationStatusVisible(true)} - showHydrateOperation={() => setHydrateOperationStatusVisible(true)} - showConditions={() => setConditionsStatusVisible(true)} - showExtension={id => setExtensionPanelVisible(id)} - showMetadataInfo={revision => setState(prevState => ({...prevState, revision}))} - /> + {isApplication ? ( + selectNode(appFullName, 0, 'diff')} + showOperation={() => setOperationStatusVisible(true)} + showHydrateOperation={() => setHydrateOperationStatusVisible(true)} + showConditions={() => setConditionsStatusVisible(true)} + showExtension={id => setExtensionPanelVisible(id)} + showMetadataInfo={revision => setState(prevState => ({...prevState, revision}))} + /> + ) : ( + setConditionsStatusVisible(true)} + /> + )}
    {refreshing &&

    Refreshing

    } @@ -950,52 +1050,26 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat
    {zoomNum}%
    - filterTreeNode(node, treeFilter)} - selectedNodeFullName={selectedNodeKey} - onNodeClick={fullName => selectNode(fullName)} - nodeMenu={node => - AppUtils.renderResourceMenu(node, application, tree, appContext, appChanged.current, () => - getApplicationActionMenu(application, false) - ) - } - showCompactNodes={pref.groupNodes} - userMsgs={pref.userHelpTipMsgs} - tree={tree} - app={application} - showOrphanedResources={pref.orphanedResources} - useNetworkingHierarchy={pref.view === 'network'} - onClearFilter={clearFilter} - onGroupdNodeClick={groupdedNodeIds => openGroupNodeDetails(groupdedNodeIds)} - zoom={pref.zoom} - podGroupCount={pref.podGroupCount} - appContext={{...appContext, apis: appContext} as unknown as AppContext} - nameDirection={state.truncateNameOnRight} - nameWrap={state.showFullNodeName} - filters={pref.resourceFilter} - setTreeFilterGraph={setFilterGraph} - updateUsrHelpTipMsgs={updateHelpTipState} - setShowCompactNodes={setShowCompactNodes} - setNodeExpansion={(node, isExpanded) => setNodeExpansion(node, isExpanded)} - getNodeExpansion={node => getNodeExpansion(node)} - /> + )) || - (pref.view === 'pods' && ( + (isApplication && pref.view === 'pods' && ( selectNode(fullName)} nodeMenu={node => - AppUtils.renderResourceMenu(node, application, tree, appContext, appChanged.current, () => - getApplicationActionMenu(application, false) + AppUtils.renderResourceMenu(node, application as appModels.Application, tree, appContext, appChanged.current, () => + getApplicationActionMenu(application as appModels.Application, false) ) } - quickStarts={node => AppUtils.renderResourceButtons(node, application, tree, appContext, appChanged.current)} + quickStarts={node => + AppUtils.renderResourceButtons(node, application as appModels.Application, tree, appContext, appChanged.current) + } /> )) || - (state.extensionsMap[pref.view] != null && ( - + (isApplication && state.extensionsMap[pref.view] != null && ( + )) || (
    services.viewPreferences.getPreferences()}> @@ -1021,10 +1095,18 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat pref={pref} onNodeClick={fullName => selectNode(fullName)} resources={data} - nodeMenu={node => - AppUtils.renderResourceMenu(node, application, tree, appContext, appChanged.current, () => - getApplicationActionMenu(application, false) - ) + nodeMenu={ + isApplication + ? node => + AppUtils.renderResourceMenu( + node, + application as appModels.Application, + tree, + appContext, + appChanged.current, + () => getApplicationActionMenu(application as appModels.Application, false) + ) + : undefined } tree={tree} /> @@ -1040,92 +1122,132 @@ Are you sure you want to disable auto-sync and rollback application '${props.mat )}
    - 0} onClose={() => closeGroupedNodesPanel()}> -
    - setState(prevState => ({...prevState, slidingPanelPage: page}))} - preferencesKey='grouped-nodes-details'> - {data => ( - selectNode(fullName)} - resources={data} - nodeMenu={node => - AppUtils.renderResourceMenu(node, application, tree, appContext, appChanged.current, () => - getApplicationActionMenu(application, false) - ) - } - tree={tree} - /> - )} - -
    -     - selectNode('')}> - updateApp(app, query)} - selectedNode={selectedNode} - appCxt={{...appContext, apis: appContext} as unknown as AppContext} - tab={tab} - /> - - AppUtils.showDeploy(null, null, appContext)} - selectedResource={syncResourceKey} - /> - -1} onClose={() => setRollbackPanelVisible(-1)}> - {selectedRollbackDeploymentIndex > -1 && ( - rollbackApplication(info, application)} - selectDeployment={i => setRollbackPanelVisible(i)} + {isApplication && ( + 0} onClose={() => closeGroupedNodesPanel()}> +
    + setState(prevState => ({...prevState, slidingPanelPage: page}))} + preferencesKey='grouped-nodes-details'> + {data => ( + selectNode(fullName)} + resources={data} + nodeMenu={node => + AppUtils.renderResourceMenu( + node, + application as appModels.Application, + tree, + appContext, + appChanged.current, + () => getApplicationActionMenu(application as appModels.Application, false) + ) + } + tree={tree} + /> + )} + +
    +     + )} + {isApplication && ( + selectNode('')}> + updateApp(app, query)} + selectedNode={selectedNode} + appCxt={{...appContext, apis: appContext} as unknown as AppContext} /> - )} - - setOperationStatusVisible(false)}> - {operationState && } - - setHydrateOperationStatusVisible(false)}> - {hydrateOperationState && } - - setConditionsStatusVisible(false)}> - {conditions && } - - setState(prevState => ({...prevState, revision: null}))}> - {state.revision === 'SYNC_STATUS_REVISION' && - (application.status.sync.revisions || application.status.sync.revision) && - getContent(application, source, application.status.sync.revisions, application.status.sync.revision)} - {state.revision === 'OPERATION_STATE_REVISION' && - (application.status.operationState.syncResult.revisions || application.status.operationState.syncResult.revision) && - getContent( - application, - source, - application.status.operationState.syncResult.revisions, - application.status.operationState.syncResult.revision + + )} + {!isApplication && ( + selectNode('')}> + + + )} + {isApplication && ( + AppUtils.showDeploy(null, null, appContext)} + selectedResource={syncResourceKey} + /> + )} + {isApplication && ( + -1} onClose={() => setRollbackPanelVisible(-1)}> + {selectedRollbackDeploymentIndex > -1 && ( + rollbackApplication(info, application as appModels.Application)} + selectDeployment={i => setRollbackPanelVisible(i)} + /> )} + + )} + {isApplication && ( + setOperationStatusVisible(false)}> + {operationState && } + + )} + {isApplication && ( + setHydrateOperationStatusVisible(false)}> + {hydrateOperationState && } + + )} + setConditionsStatusVisible(false)}> + {conditions && + (isApplication ? ( + + ) : ( + + ))} - setExtensionPanelVisible('')}> - {selectedExtension !== '' && activeStatusExt?.flyout && } - - setExtensionPanelVisible('')}> - {selectedExtension !== '' && activeTopBarActionMenuExt?.flyout && ( - - )} - + {isApplication && ( + setState(prevState => ({...prevState, revision: null}))}> + {state.revision === 'SYNC_STATUS_REVISION' && + ((application as appModels.Application).status.sync.revisions || (application as appModels.Application).status.sync.revision) && + getContent( + application as appModels.Application, + source, + (application as appModels.Application).status.sync.revisions, + (application as appModels.Application).status.sync.revision + )} + {state.revision === 'OPERATION_STATE_REVISION' && + ((application as appModels.Application).status.operationState.syncResult.revisions || + (application as appModels.Application).status.operationState.syncResult.revision) && + getContent( + application as appModels.Application, + source, + (application as appModels.Application).status.operationState.syncResult.revisions, + (application as appModels.Application).status.operationState.syncResult.revision + )} + + )} + {isApplication && ( + setExtensionPanelVisible('')}> + {selectedExtension !== '' && activeStatusExt?.flyout && ( + + )} + + )} + {isApplication && ( + setExtensionPanelVisible('')}> + {selectedExtension !== '' && activeTopBarActionMenuExt?.flyout && ( + + )} + + )}
    ); diff --git a/ui/src/app/applications/components/application-parameters/application-parameters.tsx b/ui/src/app/applications/components/application-parameters/application-parameters.tsx index dac7335b99..d29fded3d2 100644 --- a/ui/src/app/applications/components/application-parameters/application-parameters.tsx +++ b/ui/src/app/applications/components/application-parameters/application-parameters.tsx @@ -28,7 +28,7 @@ import {ImageTagFieldEditor} from './kustomize'; import * as kustomize from './kustomize-image'; import {VarsInputField} from './vars-input-field'; import {concatMaps} from '../../../shared/utils'; -import {deleteSourceAction, getAppDefaultSource, helpTip} from '../utils'; +import {deleteSourceAction, getAppDefaultSource, getAppDrySource, helpTip} from '../utils'; import * as jsYaml from 'js-yaml'; import {RevisionFormField} from '../revision-form-field/revision-form-field'; import classNames from 'classnames'; @@ -1091,9 +1091,9 @@ async function getSourceFromAppSources(aSource: models.ApplicationSource, name: // Delete when source field is removed async function getSingleSource(app: models.Application) { if (app.spec.source || app.spec.sourceHydrator) { - const repoDetail = await services.repos.appDetails(getAppDefaultSource(app), app.metadata.name, app.spec.project, 0, 0).catch(() => ({ + const repoDetail = await services.repos.appDetails(getAppDrySource(app), app.metadata.name, app.spec.project, 0, 0).catch(() => ({ type: 'Directory' as models.AppSourceType, - path: getAppDefaultSource(app).path + path: getAppDrySource(app).path })); return repoDetail; } diff --git a/ui/src/app/applications/components/application-resource-tree/application-resource-tree.tsx b/ui/src/app/applications/components/application-resource-tree/application-resource-tree.tsx index 0d222c8b98..00fdd7a7ca 100644 --- a/ui/src/app/applications/components/application-resource-tree/application-resource-tree.tsx +++ b/ui/src/app/applications/components/application-resource-tree/application-resource-tree.tsx @@ -16,7 +16,9 @@ import { BASE_COLORS, ComparisonStatusIcon, getAppOverridesCount, + getAppSetHealthStatus, HealthStatusIcon, + isApp, isAppNode, isYoungerThanXMinutes, NodeId, @@ -50,7 +52,7 @@ export interface ResourceTreeNode extends models.ResourceNode { } export interface ApplicationResourceTreeProps { - app: models.Application; + app: models.AbstractApplication; tree: models.ApplicationTree; useNetworkingHierarchy: boolean; nodeFilter: (node: ResourceTreeNode) => boolean; @@ -244,7 +246,7 @@ export function compareNodes(first: ResourceTreeNode, second: ResourceTreeNode) ); } -function appNodeKey(app: models.Application) { +function appNodeKey(app: models.AbstractApplication) { return nodeKey({group: 'argoproj.io', kind: app.kind, name: app.metadata.name, namespace: app.metadata.namespace}); } @@ -407,7 +409,7 @@ function renderPodGroup(props: ApplicationResourceTreeProps, id: string, node: R } const appNode = isAppNode(node); const rootNode = !node.root; - const extLinks: string[] = props.app.status.summary.externalURLs; + const extLinks: string[] = isApp(props.app) ? (props.app as models.Application).status.summary.externalURLs : []; const podGroupChildren = childMap.get(treeNodeKey(node)); const nonPodChildren = podGroupChildren?.reduce((acc, child) => { if (child.kind !== 'Pod') { @@ -755,7 +757,7 @@ function renderResourceNode(props: ApplicationResourceTreeProps, id: string, nod } const appNode = isAppNode(node); const rootNode = !node.root; - const extLinks: string[] = props.app.status.summary.externalURLs; + const extLinks: string[] = isApp(props.app) ? (props.app as models.Application).status.summary.externalURLs : []; const childCount = nodesHavingChildren.get(node.uid); return (
    version: '', // @ts-expect-error its not any children: [], - status: props.app.status.sync.status, - health: props.app.status.health, + status: isApp(props.app) ? (props.app as models.Application).status.sync.status : null, + health: isApp(props.app) ? (props.app as models.Application).status.health : {status: getAppSetHealthStatus(props.app as models.ApplicationSet), message: ''}, uid: props.app.kind + '-' + props.app.metadata.namespace + '-' + props.app.metadata.name, info: overridesCount > 0 @@ -934,19 +936,34 @@ export const ApplicationResourceTree = (props: ApplicationResourceTreeProps) => }; const statusByKey = new Map(); - props.app.status.resources.forEach(res => statusByKey.set(nodeKey(res), res)); + const appSetStatusByKey = new Map(); + if (isApp(props.app)) { + (props.app as models.Application).status.resources.forEach(res => statusByKey.set(nodeKey(res), res)); + } else if ((props.app as models.ApplicationSet).status?.resources) { + (props.app as models.ApplicationSet).status.resources.forEach(res => appSetStatusByKey.set(nodeKey(res), res)); + } const nodeByKey = new Map(); props.tree.nodes .map(node => ({...node, orphaned: false})) .concat(((props.showOrphanedResources && props.tree.orphanedNodes) || []).map(node => ({...node, orphaned: true}))) .forEach(node => { - const status = statusByKey.get(nodeKey(node)); const resourceNode: ResourceTreeNode = {...node}; - if (status) { - resourceNode.health = status.health; - resourceNode.status = status.status; - resourceNode.hook = status.hook; - resourceNode.requiresPruning = status.requiresPruning; + if (isApp(props.app)) { + const status = statusByKey.get(nodeKey(node)); + if (status) { + resourceNode.health = status.health; + resourceNode.status = status.status; + resourceNode.hook = status.hook; + resourceNode.requiresPruning = status.requiresPruning; + } + } else { + const status = appSetStatusByKey.get(nodeKey(node)); + if (status && status.health) { + resourceNode.health = { + status: status.health.status as models.HealthStatusCode, + message: '' + }; + } } nodeByKey.set(treeNodeKey(node), resourceNode); }); @@ -979,7 +996,7 @@ export const ApplicationResourceTree = (props: ApplicationResourceTreeProps) => } }, [podCount]); - function filterGraph(app: models.Application, filteredIndicatorParent: string, graphNodesFilter: dagre.graphlib.Graph, predicate: (node: ResourceTreeNode) => boolean) { + function filterGraph(app: models.AbstractApplication, filteredIndicatorParent: string, graphNodesFilter: dagre.graphlib.Graph, predicate: (node: ResourceTreeNode) => boolean) { const appKey = appNodeKey(app); let filtered = 0; graphNodesFilter.nodes().forEach(nodeId => { @@ -1118,8 +1135,12 @@ export const ApplicationResourceTree = (props: ApplicationResourceTreeProps) => } } else { // Tree view - const managedKeys = new Set(props.app.status.resources.map(nodeKey)); - const orphanedKeys = new Set(props.tree.orphanedNodes?.map(nodeKey)); + const managedKeys = isApp(props.app) + ? new Set((props.app as models.Application).status.resources.map(nodeKey)) + : (props.app as models.ApplicationSet).status?.resources + ? new Set((props.app as models.ApplicationSet).status.resources.map(nodeKey)) + : new Set(); + const orphanedKeys = isApp(props.app) ? new Set(props.tree.orphanedNodes?.map(nodeKey)) : new Set(); const orphans: ResourceTreeNode[] = []; let allChildNodes: ResourceTreeNode[] = []; nodesHavingChildren.set(appNode.uid, 1); diff --git a/ui/src/app/applications/components/application-status-panel/appset-status-panel.tsx b/ui/src/app/applications/components/application-status-panel/appset-status-panel.tsx new file mode 100644 index 0000000000..20e50b1bd2 --- /dev/null +++ b/ui/src/app/applications/components/application-status-panel/appset-status-panel.tsx @@ -0,0 +1,89 @@ +import {HelpIcon} from 'argo-ui'; +import * as React from 'react'; +import {ARGO_GRAY6_COLOR} from '../../../shared/components'; +import {Timestamp} from '../../../shared/components/timestamp'; +import * as models from '../../../shared/models'; +import {getAppSetConditionCategory, getAppSetHealthStatus, HealthStatusIcon} from '../utils'; + +import './application-status-panel.scss'; + +interface Props { + appSet: models.ApplicationSet; + showConditions?: () => any; +} + +interface SectionInfo { + title: string; + helpContent?: string; +} + +const sectionLabel = (info: SectionInfo) => ( + +); + +const getConditionCounts = (conditions: models.ApplicationSetCondition[]) => { + const counts = {info: 0, warning: 0, error: 0}; + if (!conditions) return counts; + + conditions.forEach(c => { + const category = getAppSetConditionCategory(c); + counts[category]++; + }); + return counts; +}; + +export const ApplicationSetStatusPanel = ({appSet, showConditions}: Props) => { + const healthStatus = getAppSetHealthStatus(appSet); + const conditions = appSet.status?.conditions || []; + const conditionCounts = getConditionCounts(conditions); + const latestCondition = conditions.length > 0 ? conditions[conditions.length - 1] : null; + + return ( +
    +
    + {sectionLabel({title: 'APPSET HEALTH', helpContent: 'The health status of your ApplicationSet derived from its conditions'})} +
    + +   + {healthStatus} +
    + {latestCondition?.message &&
    {latestCondition.message}
    } +
    + + {conditions.length > 0 && ( +
    + {sectionLabel({title: 'CONDITIONS'})} +
    showConditions && showConditions()}> + {conditionCounts.info > 0 && ( + + {conditionCounts.info} Info + + )} + {conditionCounts.error > 0 && ( + + {conditionCounts.error} Error + {conditionCounts.error !== 1 && 's'} + + )} +
    +
    + )} + + {latestCondition?.lastTransitionTime && ( +
    + {sectionLabel({title: 'LAST UPDATED'})} +
    + +
    +
    + )} +
    + ); +}; diff --git a/ui/src/app/applications/components/application-summary/application-summary.tsx b/ui/src/app/applications/components/application-summary/application-summary.tsx index 658bb46900..f56fe122bb 100644 --- a/ui/src/app/applications/components/application-summary/application-summary.tsx +++ b/ui/src/app/applications/components/application-summary/application-summary.tsx @@ -8,6 +8,7 @@ import { DataLoader, EditablePanel, EditablePanelItem, + EditablePanelContent, Expandable, MapInputField, NumberField, @@ -22,7 +23,7 @@ import {services} from '../../../shared/services'; import {ApplicationSyncOptionsField} from '../application-sync-options/application-sync-options'; import {RevisionFormField} from '../revision-form-field/revision-form-field'; -import {ComparisonStatusIcon, HealthStatusIcon, syncStatusMessage, urlPattern, formatCreationTimestamp, getAppDefaultSource, getAppSpecDefaultSource, helpTip} from '../utils'; +import {ComparisonStatusIcon, HealthStatusIcon, syncStatusMessage, urlPattern, formatCreationTimestamp, getAppDefaultSource, getAppSpecDefaultSource} from '../utils'; import {ApplicationRetryOptions} from '../application-retry-options/application-retry-options'; import {ApplicationRetryView} from '../application-retry-view/application-retry-view'; import {Link} from 'react-router-dom'; @@ -61,12 +62,22 @@ export const ApplicationSummary = (props: ApplicationSummaryProps) => { const useAuthSettingsCtx = React.useContext(AuthSettingsCtx); const [destFormat, setDestFormat] = React.useState(initialState); const [, setChangeSync] = React.useState(false); + const [isHydratorEnabled, setIsHydratorEnabled] = React.useState(!!app.spec.sourceHydrator); + const [savedSyncSource, setSavedSyncSource] = React.useState(app.spec.sourceHydrator?.syncSource || {targetBranch: '', path: ''}); const notificationSubscriptions = useEditNotificationSubscriptions(app.metadata.annotations || {}); const updateApp = notificationSubscriptions.withNotificationSubscriptions(props.updateApp); + const updateAppSource = async (input: models.Application, query: {validate?: boolean}) => { + const hydrateTo = input.spec.sourceHydrator?.hydrateTo; + if (hydrateTo && !hydrateTo.targetBranch?.trim() && input.spec.sourceHydrator) { + delete input.spec.sourceHydrator.hydrateTo; + } + return updateApp(input, query); + }; + const hasMultipleSources = app.spec.sources && app.spec.sources.length > 0; - const isHydrator = app.spec.sourceHydrator && true; + const isHydrator = isHydratorEnabled; const repoType = source.repoURL.startsWith('oci://') ? 'oci' : (source.hasOwnProperty('chart') && 'helm') || 'git'; const attributes = [ @@ -172,97 +183,6 @@ export const ApplicationSummary = (props: ApplicationSummaryProps) => { title: 'CREATED AT', view: formatCreationTimestamp(app.metadata.creationTimestamp) }, - !hasMultipleSources && { - title: 'REPO URL', - view: , - edit: (formApi: FormApi) => - }, - ...(!hasMultipleSources - ? isHelm - ? [ - { - title: 'CHART', - view: {source && `${source.chart}:${source.targetRevision}`}, - edit: (formApi: FormApi) => - hasMultipleSources ? ( - helpTip('CHART is not editable for applications with multiple sources. You can edit them in the "Manifest" tab.') - ) : ( - services.repos.charts(src.repoURL).catch(() => new Array())}> - {(charts: models.HelmChart[]) => ( -
    -
    - chart.name), - filterSuggestions: true - }} - /> -
    - { - const chartInfo = data.charts.find(chart => chart.name === data.chart); - return (chartInfo && chartInfo.versions) || new Array(); - }}> - {(versions: string[]) => ( -
    - - -
    - )} -     -
    - )} -     - ) - } - ] - : [ - { - title: 'TARGET REVISION', - view: , - edit: (formApi: FormApi) => - hasMultipleSources ? ( - helpTip('TARGET REVISION is not editable for applications with multiple sources. You can edit them in the "Manifest" tab.') - ) : ( - - ) - }, - { - title: 'PATH', - view: ( - - {processPath(source.path)} - - ), - edit: (formApi: FormApi) => - hasMultipleSources ? ( - helpTip('PATH is not editable for applications with multiple sources. You can edit them in the "Manifest" tab.') - ) : ( - - ) - } - ] - : []), { title: 'REVISION HISTORY LIMIT', view: app.spec.revisionHistoryLimit, @@ -379,6 +299,235 @@ export const ApplicationSummary = (props: ApplicationSummaryProps) => { }); } + const standardSourceItems: EditablePanelItem[] = useAuthSettingsCtx?.hydratorEnabled + ? [ + { + title: 'ENABLE HYDRATOR', + hint: 'Enable Source Hydrator to render and push manifests to a Git branch.', + view: false, // Hide in view mode + edit: (formApi: FormApi) => ( +
    + { + const updatedApp = formApi.getFormState().values as models.Application; + if (val) { + // Enable hydrator - move source to sourceHydrator.drySource + if (!updatedApp.spec.sourceHydrator) { + updatedApp.spec.sourceHydrator = { + drySource: { + repoURL: updatedApp.spec.source.repoURL, + targetRevision: updatedApp.spec.source.targetRevision, + path: updatedApp.spec.source.path + }, + syncSource: savedSyncSource + }; + delete updatedApp.spec.source; + } + } else { + // Disable hydrator - save sync source values and move drySource back to source + if (updatedApp.spec.sourceHydrator) { + setSavedSyncSource(updatedApp.spec.sourceHydrator.syncSource); + updatedApp.spec.source = updatedApp.spec.sourceHydrator.drySource; + delete updatedApp.spec.sourceHydrator; + } + } + formApi.setAllValues(updatedApp); + setIsHydratorEnabled(val); + }} + checked={!!(formApi.getFormState().values as models.Application).spec.sourceHydrator} + id='enable-hydrator' + /> + +
    + ) + } + ] + : []; + + const sourceItems: EditablePanelItem[] = [ + { + title: 'REPO URL', + view: , + edit: (formApi: FormApi) => + }, + ...(isHelm + ? [ + { + title: 'CHART', + view: {source && `${source.chart}:${source.targetRevision}`}, + edit: (formApi: FormApi) => ( + services.repos.charts(src.repoURL).catch(() => new Array())}> + {(charts: models.HelmChart[]) => ( +
    +
    + chart.name), filterSuggestions: true}} + /> +
    + { + const chartInfo = data.charts.find(chart => chart.name === data.chart); + return (chartInfo && chartInfo.versions) || new Array(); + }}> + {(versions: string[]) => ( +
    + + +
    + )} +     +
    + )} +     + ) + } + ] + : [ + { + title: 'TARGET REVISION', + view: , + edit: (formApi: FormApi) => ( + + ) + }, + { + title: 'PATH', + view: ( + + {processPath(source.path)} + + ), + edit: (formApi: FormApi) => + } + ]) + ]; + + const drySourceItems: EditablePanelItem[] = [ + { + title: 'REPO URL', + hint: 'Git repo containing the unrendered source (Helm/Kustomize/manifests).', + view: , + edit: (formApi: FormApi) => + }, + { + title: 'TARGET REVISION', + hint: 'Git revision to read the dry source from (branch/tag/SHA).', + view: , + edit: (formApi: FormApi) => ( + + ) + }, + { + title: 'PATH', + hint: 'Directory in the dry repo with the unrendered source.', + view: ( + + {processPath(app.spec.sourceHydrator?.drySource?.path)} + + ), + edit: (formApi: FormApi) => + } + ]; + + const syncSourceItems: EditablePanelItem[] = [ + { + title: 'TARGET BRANCH', + hint: 'Branch where hydrated manifests are written and synced from.', + view: , + edit: (formApi: FormApi) => ( + + ) + }, + { + title: 'PATH', + hint: 'Output directory for hydrated manifests; must be a non-root path.', + view: ( + + {processPath(app.spec.sourceHydrator?.syncSource?.path)} + + ), + edit: (formApi: FormApi) => + } + ]; + + const hydrateToItems: EditablePanelItem[] = [ + { + title: 'TARGET BRANCH (OPTIONAL)', + hint: 'Optional staging branch to write hydrated output before syncing.', + view: ( + + ), + edit: (formApi: FormApi) => ( + + ) + } + ]; + + const sourceAttributes: (EditablePanelItem | EditablePanelContent)[] = isHydrator + ? [ + ...standardSourceItems, + { + sectionName: 'Dry Source', + items: drySourceItems + }, + { + sectionName: 'Sync Source', + items: syncSourceItems + }, + { + sectionName: 'Hydrate To', + items: hydrateToItems + } + ] + : [...standardSourceItems, ...sourceItems]; + async function setAutoSync(ctx: ContextApis, confirmationTitle: string, confirmationText: string, prune: boolean, selfHeal: boolean, enable: boolean) { const confirmed = await ctx.popup.confirm(confirmationTitle, confirmationText); if (confirmed) { @@ -490,6 +639,16 @@ export const ApplicationSummary = (props: ApplicationSummaryProps) => { items={attributes} onModeSwitch={() => notificationSubscriptions.onResetNotificationSubscriptions()} /> + {!hasMultipleSources && ( + notificationSubscriptions.onResetNotificationSubscriptions()} + /> + )} {ctx => (
    @@ -595,19 +754,3 @@ export const ApplicationSummary = (props: ApplicationSummaryProps) => {
    ); }; - -/** Get the repository URL field based on the hydrator status */ -const getRepoField = (isHydrator: boolean): string => { - const repoURLField = isHydrator ? 'spec.sourceHydrator.drySource.repoURL' : 'spec.source.repoURL'; - return repoURLField; -}; - -const getTargetRevisionField = (isHydrator: boolean): string => { - const targetRevisionField = isHydrator ? 'spec.sourceHydrator.drySource.targetRevision' : 'spec.source.targetRevision'; - return targetRevisionField; -}; - -const getPathField = (isHydrator: boolean): string => { - const pathField = isHydrator ? 'spec.sourceHydrator.drySource.path' : 'spec.source.path'; - return pathField; -}; diff --git a/ui/src/app/applications/components/applications-list/application-table-row.tsx b/ui/src/app/applications/components/applications-list/application-table-row.tsx new file mode 100644 index 0000000000..cf95084567 --- /dev/null +++ b/ui/src/app/applications/components/applications-list/application-table-row.tsx @@ -0,0 +1,164 @@ +import {DropDownMenu, Tooltip} from 'argo-ui'; +import * as React from 'react'; +import Moment from 'react-moment'; +import {Cluster} from '../../../shared/components'; +import {ContextApis} from '../../../shared/context'; +import * as models from '../../../shared/models'; +import {ApplicationURLs} from '../application-urls'; +import * as AppUtils from '../utils'; +import {getAppDefaultSource, OperationState, getApplicationLinkURL, getManagedByURL} from '../utils'; +import {ApplicationsLabels} from './applications-labels'; +import {ApplicationsSource} from './applications-source'; +import {services} from '../../../shared/services'; +import {ViewPreferences} from '../../../shared/services'; + +export interface ApplicationTableRowProps { + app: models.Application; + selected: boolean; + pref: ViewPreferences; + ctx: ContextApis; + syncApplication: (appName: string, appNamespace: string) => void; + refreshApplication: (appName: string, appNamespace: string) => void; + deleteApplication: (appName: string, appNamespace: string) => void; +} + +export const ApplicationTableRow = ({app, selected, pref, ctx, syncApplication, refreshApplication, deleteApplication}: ApplicationTableRowProps) => { + const favList = pref.appList.favoritesAppList || []; + const healthStatus = app.status.health.status; + const linkInfo = getApplicationLinkURL(app, ctx.baseHref); + const source = getAppDefaultSource(app); + + const handleFavoriteToggle = (e: React.MouseEvent) => { + e.stopPropagation(); + if (favList?.includes(app.metadata.name)) { + favList.splice(favList.indexOf(app.metadata.name), 1); + } else { + favList.push(app.metadata.name); + } + services.viewPreferences.updatePreferences({appList: {...pref.appList, favoritesAppList: favList}}); + }; + + const handleExternalLinkClick = (e: React.MouseEvent) => { + e.stopPropagation(); + if (linkInfo.isExternal) { + window.open(linkInfo.url, '_blank', 'noopener,noreferrer'); + } else { + ctx.navigation.goto(`/${AppUtils.getAppUrl(app)}`); + } + }; + + return ( +
    +
    ctx.navigation.goto(`/${AppUtils.getAppUrl(app)}`, {}, {event: e})}> + {/* First column: Favorite, URLs, Project, Name */} +
    +
    +
    +
    + + + + +
    +
    +
    Project:
    +
    {app.spec.project}
    +
    +
    +
    +
    Name:
    +
    + + {app.metadata.name} +
    + + {app.metadata.creationTimestamp} + + + }> + {app.metadata.name} +     + +
    +
    +
    + + {/* Second column: Source and Destination */} +
    +
    +
    Source:
    +
    +
    + +
    +
    + +
    +
    +
    +
    +
    Destination:
    +
    + /{app.spec.destination.namespace} +
    +
    +
    + + {/* Third column: Status and Actions */} +
    + {app.status.health.status}
    + {app.status.sourceHydrator?.currentOperation && ( + <> + {' '} + {app.status.sourceHydrator.currentOperation.phase}
    + + )} + + {app.status.sync.status} + ( + + )} + items={[ + { + title: 'Sync', + iconClassName: 'fa fa-fw fa-sync', + action: () => syncApplication(app.metadata.name, app.metadata.namespace) + }, + { + title: 'Refresh', + iconClassName: 'fa fa-fw fa-redo', + action: () => refreshApplication(app.metadata.name, app.metadata.namespace) + }, + { + title: 'Delete', + iconClassName: 'fa fa-fw fa-times-circle', + action: () => deleteApplication(app.metadata.name, app.metadata.namespace) + } + ]} + /> +
    +
    +
    + ); +}; diff --git a/ui/src/app/applications/components/applications-list/application-tile.tsx b/ui/src/app/applications/components/applications-list/application-tile.tsx new file mode 100644 index 0000000000..82041832af --- /dev/null +++ b/ui/src/app/applications/components/applications-list/application-tile.tsx @@ -0,0 +1,267 @@ +import {Tooltip} from 'argo-ui'; +import * as classNames from 'classnames'; +import * as React from 'react'; +import {Cluster} from '../../../shared/components'; +import {ContextApis, AuthSettingsCtx} from '../../../shared/context'; +import * as models from '../../../shared/models'; +import {ApplicationURLs} from '../application-urls'; +import * as AppUtils from '../utils'; +import {getAppDefaultSource, OperationState, getApplicationLinkURL, getManagedByURL} from '../utils'; +import {services} from '../../../shared/services'; +import {ViewPreferences} from '../../../shared/services'; + +export interface ApplicationTileProps { + app: models.Application; + selected: boolean; + pref: ViewPreferences; + ctx: ContextApis; + tileRef?: React.RefObject; + syncApplication: (appName: string, appNamespace: string) => void; + refreshApplication: (appName: string, appNamespace: string) => void; + deleteApplication: (appName: string, appNamespace: string) => void; +} + +export const ApplicationTile = ({app, selected, pref, ctx, tileRef, syncApplication, refreshApplication, deleteApplication}: ApplicationTileProps) => { + const useAuthSettingsCtx = React.useContext(AuthSettingsCtx); + const favList = pref.appList.favoritesAppList || []; + + const source = getAppDefaultSource(app); + const isOci = source?.repoURL?.startsWith('oci://'); + const targetRevision = source ? source.targetRevision || 'HEAD' : 'Unknown'; + const linkInfo = getApplicationLinkURL(app, ctx.baseHref); + const healthStatus = app.status.health.status; + + const handleFavoriteToggle = (e: React.MouseEvent) => { + e.stopPropagation(); + if (favList?.includes(app.metadata.name)) { + favList.splice(favList.indexOf(app.metadata.name), 1); + } else { + favList.push(app.metadata.name); + } + services.viewPreferences.updatePreferences({appList: {...pref.appList, favoritesAppList: favList}}); + }; + + const handleExternalLinkClick = (e: React.MouseEvent) => { + e.stopPropagation(); + if (linkInfo.isExternal) { + window.open(linkInfo.url, '_blank', 'noopener,noreferrer'); + } else { + ctx.navigation.goto(`/${AppUtils.getAppUrl(app)}`); + } + }; + + return ( +
    +
    ctx.navigation.goto(`/${AppUtils.getAppUrl(app)}`, {view: pref.appDetails.view}, {event: e})}> +
    + {/* Header row with icon, title, and action buttons */} +
    +
    0 ? 'columns small-10' : 'columns small-11'}> + + + {AppUtils.appQualifiedName(app, useAuthSettingsCtx?.appsInAnyNamespaceEnabled)} + +
    +
    0 ? 'columns small-2' : 'columns small-1'}> +
    + + + +
    +
    +
    + + {/* Project row */} +
    +
    + Project: +
    +
    {app.spec.project}
    +
    + + {/* Labels row */} +
    +
    + Labels: +
    +
    + + {Object.keys(app.metadata.labels || {}) + .map(label => ({label, value: app.metadata.labels[label]})) + .map(item => ( +
    + {item.label}={item.value} +
    + ))} +
    + }> + + {Object.keys(app.metadata.labels || {}) + .map(label => `${label}=${app.metadata.labels[label]}`) + .join(', ')} + + +
    +
    + + {/* Status row */} +
    +
    + Status: +
    +
    + {app.status.health.status} +   + {app.status.sourceHydrator?.currentOperation && ( + <> + {' '} + {app.status.sourceHydrator.currentOperation.phase} +   + + )} + {app.status.sync.status} +   + +
    +
    + + {/* Repository row */} +
    +
    + Repository: +
    +
    + + {source?.repoURL} + +
    +
    + + {/* Target Revision row */} +
    +
    + Target Revision: +
    +
    {targetRevision}
    +
    + + {/* Path row (conditional) */} + {source?.path && ( +
    +
    + Path: +
    +
    {source?.path}
    +
    + )} + + {/* Chart row (conditional) */} + {source?.chart && ( +
    +
    + Chart: +
    +
    {source?.chart}
    +
    + )} + + {/* Destination row */} +
    +
    + Destination: +
    +
    + +
    +
    + + {/* Namespace row */} +
    +
    + Namespace: +
    +
    {app.spec.destination.namespace}
    +
    + + {/* Created At row */} +
    +
    + Created At: +
    +
    {AppUtils.formatCreationTimestamp(app.metadata.creationTimestamp)}
    +
    + + {/* Last Sync row (conditional) */} + {app.status.operationState && ( +
    +
    + Last Sync: +
    +
    {AppUtils.formatCreationTimestamp(app.status.operationState.finishedAt || app.status.operationState.startedAt)}
    +
    + )} + + {/* Action buttons */} + +
    +
    +
    + ); +}; diff --git a/ui/src/app/applications/components/applications-list/applications-filter.tsx b/ui/src/app/applications/components/applications-list/applications-filter.tsx index 544c1a1728..288cec3ce3 100644 --- a/ui/src/app/applications/components/applications-list/applications-filter.tsx +++ b/ui/src/app/applications/components/applications-list/applications-filter.tsx @@ -1,10 +1,10 @@ import {useData, Checkbox} from 'argo-ui/v2'; import * as minimatch from 'minimatch'; import * as React from 'react'; -import {Context} from '../../../shared/context'; import { Application, ApplicationDestination, + ApplicationSet, Cluster, HealthStatusCode, HealthStatuses, @@ -14,29 +14,40 @@ import { SyncStatusCode, SyncStatuses } from '../../../shared/models'; -import {AppsListPreferences, services} from '../../../shared/services'; +import {AppsListPreferences, AppSetsListPreferences, services} from '../../../shared/services'; import {Filter, FiltersGroup} from '../filter/filter'; -import * as LabelSelector from '../label-selector'; -import {ComparisonStatusIcon, getAppDefaultSource, HealthStatusIcon, getOperationStateTitle} from '../utils'; +import {createMetadataSelector} from '../selectors'; +import {ComparisonStatusIcon, getAppSetHealthStatus, HealthStatusIcon, getOperationStateTitle} from '../utils'; import {formatClusterQueryParam} from '../../../shared/utils'; import {COLORS} from '../../../shared/components/colors'; export interface FilterResult { - repos: boolean; sync: boolean; autosync: boolean; health: boolean; - namespaces: boolean; clusters: boolean; + namespaces: boolean; + operation: boolean; + annotations: boolean; + favourite: boolean; + labels: boolean; +} + +export interface ApplicationSetFilterResult { + health: boolean; favourite: boolean; labels: boolean; - operation: boolean; } export interface FilteredApp extends Application { + isAppOfAppsPattern?: boolean; filterResult: FilterResult; } +export interface ApplicationSetFilteredApp extends ApplicationSet { + filterResult: ApplicationSetFilterResult; +} + export function getAutoSyncStatus(syncPolicy?: SyncPolicy) { if (!syncPolicy || !syncPolicy.automated || syncPolicy.automated.enabled === false) { return 'Disabled'; @@ -44,11 +55,13 @@ export function getAutoSyncStatus(syncPolicy?: SyncPolicy) { return 'Enabled'; } -export function getFilterResults(applications: Application[], pref: AppsListPreferences): FilteredApp[] { +export function getAppFilterResults(applications: Application[], pref: AppsListPreferences): FilteredApp[] { + const labelSelector = createMetadataSelector(pref.labelsFilter || []); + const annotationSelector = createMetadataSelector(pref.annotationsFilter || []); + return applications.map(app => ({ ...app, filterResult: { - repos: pref.reposFilter.length === 0 || pref.reposFilter.includes(getAppDefaultSource(app).repoURL), sync: pref.syncFilter.length === 0 || pref.syncFilter.includes(app.status.sync.status), autosync: pref.autoSyncFilter.length === 0 || pref.autoSyncFilter.includes(getAutoSyncStatus(app.spec.syncPolicy)), health: pref.healthFilter.length === 0 || pref.healthFilter.includes(app.status.health.status), @@ -66,12 +79,26 @@ export function getFilterResults(applications: Application[], pref: AppsListPref return (inputMatch && inputMatch[0] === app.spec.destination.server) || (app.spec.destination.name && minimatch(app.spec.destination.name, filterString)); } }), - labels: pref.labelsFilter.length === 0 || pref.labelsFilter.every(selector => LabelSelector.match(selector, app.metadata.labels)), + labels: pref.labelsFilter.length === 0 || labelSelector(app.metadata.labels), + annotations: pref.annotationsFilter.length === 0 || annotationSelector(app.metadata.annotations), operation: pref.operationFilter.length === 0 || pref.operationFilter.includes(getOperationStateTitle(app)) } })); } +export function getAppSetFilterResults(appSets: ApplicationSet[], pref: AppSetsListPreferences): ApplicationSetFilteredApp[] { + const labelSelector = createMetadataSelector(pref.labelsFilter || []); + + return appSets.map(appSet => ({ + ...appSet, + filterResult: { + health: pref.healthFilter.length === 0 || pref.healthFilter.includes(getAppSetHealthStatus(appSet)), + favourite: !pref.showFavorites || (pref.favoritesAppList && pref.favoritesAppList.includes(appSet.metadata.name)), + labels: pref.labelsFilter.length === 0 || labelSelector(appSet.metadata.labels) + } + })); +} + const optionsFrom = (options: string[], filter: string[]) => { return options .filter(s => filter.indexOf(s) === -1) @@ -80,7 +107,8 @@ const optionsFrom = (options: string[], filter: string[]) => { }); }; -interface AppFilterProps { +// Props for Application filters +export interface AppFilterProps { apps: FilteredApp[]; pref: AppsListPreferences; onChange: (newPrefs: AppsListPreferences) => void; @@ -88,6 +116,15 @@ interface AppFilterProps { collapsed?: boolean; } +// Props for ApplicationSet filters +export interface AppSetFilterProps { + apps: ApplicationSetFilteredApp[]; + pref: AppSetsListPreferences; + onChange: (newPrefs: AppSetsListPreferences) => void; + children?: React.ReactNode; + collapsed?: boolean; +} + const getCounts = (apps: FilteredApp[], filterType: keyof FilterResult, filter: (app: Application) => string, init?: string[]) => { const map = new Map(); if (init) { @@ -100,6 +137,18 @@ const getCounts = (apps: FilteredApp[], filterType: keyof FilterResult, filter: return map; }; +const getAppSetCounts = (apps: ApplicationSetFilteredApp[], filterType: keyof ApplicationSetFilterResult, filter: (app: ApplicationSet) => string, init?: string[]) => { + const map = new Map(); + if (init) { + init.forEach(key => map.set(key, 0)); + } + // filter out all apps that does not match other filters and ignore this filter result + apps.filter(app => filter(app) && Object.keys(app.filterResult).every((key: keyof ApplicationSetFilterResult) => key === filterType || app.filterResult[key])).forEach(app => + map.set(filter(app), (map.get(filter(app)) || 0) + 1) + ); + return map; +}; + const getOptions = (apps: FilteredApp[], filterType: keyof FilterResult, filter: (app: Application) => string, keys: string[], getIcon?: (k: string) => React.ReactNode) => { const counts = getCounts(apps, filterType, filter, keys); return keys.map(k => { @@ -111,6 +160,23 @@ const getOptions = (apps: FilteredApp[], filterType: keyof FilterResult, filter: }); }; +const getAppSetOptions = ( + apps: ApplicationSetFilteredApp[], + filterType: keyof ApplicationSetFilterResult, + filter: (app: ApplicationSet) => string, + keys: string[], + getIcon?: (k: string) => React.ReactNode +) => { + const counts = getAppSetCounts(apps, filterType, filter, keys); + return keys.map(k => { + return { + label: k, + icon: getIcon && getIcon(k), + count: counts.get(k) + }; + }); +}; + const SyncFilter = (props: AppFilterProps) => ( ( /> ); -const HealthFilter = (props: AppFilterProps) => ( +const AppHealthFilter = (props: AppFilterProps) => ( ( /> ); -const LabelsFilter = (props: AppFilterProps) => { - const labels = new Map>(); - props.apps - .filter(app => app.metadata && app.metadata.labels) - .forEach(app => - Object.keys(app.metadata.labels).forEach(label => { - let values = labels.get(label); - if (!values) { - values = new Set(); - labels.set(label, values); - } - values.add(app.metadata.labels[label]); - }) - ); - const suggestions = new Array(); - Array.from(labels.entries()).forEach(([label, values]) => { - suggestions.push(label); - values.forEach(val => suggestions.push(`${label}=${val}`)); - }); - const labelOptions = suggestions.map(s => { - return {label: s}; - }); +const AppSetHealthFilter = (props: AppSetFilterProps) => ( + props.onChange({...props.pref, healthFilter: s})} + options={getAppSetOptions( + props.apps, + 'health', + app => getAppSetHealthStatus(app), + Object.keys(HealthStatuses), + s => ( + + ) + )} + /> +); - return props.onChange({...props.pref, labelsFilter: s})} field={true} options={labelOptions} />; -}; +const LabelsFilter = React.memo( + (props: {apps: Array<{metadata: {labels?: {[key: string]: string}}}>; pref: {labelsFilter: string[]}; onChange: (labelsFilter: string[]) => void}) => { + const labelOptions = React.useMemo(() => { + const labels = new Map>(); + props.apps + .filter(app => app.metadata && app.metadata.labels) + .forEach(app => + Object.keys(app.metadata.labels).forEach(label => { + let values = labels.get(label); + if (!values) { + values = new Set(); + labels.set(label, values); + } + values.add(app.metadata.labels[label]); + }) + ); + const suggestions: string[] = []; + labels.forEach((values, label) => { + suggestions.push(label); + values.forEach(val => suggestions.push(`${label}=${val}`)); + }); + return suggestions.map(s => ({label: s})); + }, [props.apps]); + + return props.onChange(s)} field={true} options={labelOptions} />; + } +); + +const AnnotationsFilter = React.memo((props: AppFilterProps) => { + const annotationOptions = React.useMemo(() => { + const annotations = new Map>(); + + props.apps + .filter(app => app.metadata && app.metadata.annotations) + .forEach(app => + Object.keys(app.metadata.annotations).forEach(annotation => { + let values = annotations.get(annotation); + if (!values) { + values = new Set(); + annotations.set(annotation, values); + } + values.add(app.metadata.annotations[annotation]); + }) + ); + + const suggestions = new Array(); + Array.from(annotations.entries()).forEach(([annotation, values]) => { + suggestions.push(annotation); + values.forEach(val => suggestions.push(`${annotation}=${val}`)); + }); + + return suggestions.map(s => ({label: s})); + }, [props.apps]); + + return ( + props.onChange({...props.pref, annotationsFilter: s})} + field={true} + options={annotationOptions} + /> + ); +}); const ProjectFilter = (props: AppFilterProps) => { const [projects, loading, error] = useData( @@ -194,7 +316,7 @@ const ProjectFilter = (props: AppFilterProps) => { ); }; -const ClusterFilter = (props: AppFilterProps) => { +const ClusterFilter = React.memo((props: AppFilterProps) => { const getClusterDetail = (dest: ApplicationDestination, clusterList: Cluster[]): string => { const cluster = (clusterList || []).find(target => target.name === dest.name || target.server === dest.server); if (!cluster) { @@ -204,9 +326,9 @@ const ClusterFilter = (props: AppFilterProps) => { }; const [clusters, loading, error] = useData(() => services.clusters.list()); - const clusterOptions = optionsFrom( - Array.from(new Set(props.apps.map(app => getClusterDetail(app.spec.destination, clusters)).filter(item => !!item))), - props.pref.clustersFilter + const clusterOptions = React.useMemo( + () => optionsFrom(Array.from(new Set(props.apps.map(app => getClusterDetail(app.spec.destination, clusters)).filter(item => !!item))), props.pref.clustersFilter), + [props.apps, clusters, props.pref.clustersFilter] ); return ( @@ -221,10 +343,13 @@ const ClusterFilter = (props: AppFilterProps) => { loading={loading} /> ); -}; +}); -const NamespaceFilter = (props: AppFilterProps) => { - const namespaceOptions = optionsFrom(Array.from(new Set(props.apps.map(app => app.spec.destination.namespace).filter(item => !!item))), props.pref.namespacesFilter); +const NamespaceFilter = React.memo((props: AppFilterProps) => { + const namespaceOptions = React.useMemo( + () => optionsFrom(Array.from(new Set(props.apps.map(app => app.spec.destination.namespace).filter(item => !!item))), props.pref.namespacesFilter), + [props.apps, props.pref.namespacesFilter] + ); return ( { options={namespaceOptions} /> ); -}; +}); -const FavoriteFilter = (props: AppFilterProps) => { - const ctx = React.useContext(Context); +const FavoriteFilter = (props: {value: boolean; onChange: (showFavorites: boolean) => void}) => { const onChange = (val: boolean) => { - ctx.navigation.goto('.', {showFavorites: val}, {replace: true}); - services.viewPreferences.updatePreferences({appList: {...props.pref, showFavorites: val}}); + props.onChange(val); }; return (
    onChange(!props.pref.showFavorites)}> + onClick={() => onChange(!props.value)}> ( ); export const ApplicationsFilter = (props: AppFilterProps) => { + const appliedFilter = [ + ...(props.pref.syncFilter || []), + ...(props.pref.healthFilter || []), + ...(props.pref.operationFilter || []), + ...(props.pref.labelsFilter || []), + ...(props.pref.projectsFilter || []), + ...(props.pref.clustersFilter || []), + ...(props.pref.namespacesFilter || []), + ...(props.pref.autoSyncFilter || []), + ...(props.pref.showFavorites ? ['favorites'] : []) + ]; + + const onClearFilter = () => { + const newPref: AppsListPreferences = {...props.pref}; + AppsListPreferences.clearFilters(newPref); + props.onChange(newPref); + }; + return ( - - + + props.onChange({...props.pref, showFavorites: val})} /> - + - + props.onChange({...props.pref, labelsFilter})} /> + @@ -354,3 +496,13 @@ export const ApplicationsFilter = (props: AppFilterProps) => { ); }; + +export const AppSetsFilter = (props: AppSetFilterProps) => { + return ( + + props.onChange({...props.pref, showFavorites: val})} /> + + props.onChange({...props.pref, labelsFilter})} /> + + ); +}; diff --git a/ui/src/app/applications/components/applications-list/applications-list.tsx b/ui/src/app/applications/components/applications-list/applications-list.tsx index 17a13119ce..3e6d406bb8 100644 --- a/ui/src/app/applications/components/applications-list/applications-list.tsx +++ b/ui/src/app/applications/components/applications-list/applications-list.tsx @@ -9,13 +9,13 @@ import {bufferTime, delay, filter, map, mergeMap, repeat, retryWhen} from 'rxjs/ import {AddAuthToToolbar, ClusterCtx, DataLoader, EmptyState, Page, Paginate, Spinner} from '../../../shared/components'; import {AuthSettingsCtx, Consumer, Context, ContextApis} from '../../../shared/context'; import * as models from '../../../shared/models'; -import {AppsListViewKey, AppsListPreferences, AppsListViewType, HealthStatusBarPreferences, services} from '../../../shared/services'; +import {AppsListViewKey, AppsListPreferences, AppSetsListPreferences, AppsListViewType, HealthStatusBarPreferences, services} from '../../../shared/services'; import {ApplicationCreatePanel} from '../application-create-panel/application-create-panel'; import {ApplicationSyncPanel} from '../application-sync-panel/application-sync-panel'; import {ApplicationsSyncPanel} from '../applications-sync-panel/applications-sync-panel'; import * as AppUtils from '../utils'; -import {ApplicationsFilter, FilteredApp, getFilterResults} from './applications-filter'; -import {ApplicationsStatusBar} from './applications-status-bar'; +import {ApplicationsFilter, AppSetsFilter, FilteredApp, ApplicationSetFilteredApp, getAppFilterResults, getAppSetFilterResults} from './applications-filter'; +import {AppsStatusBar, AppSetsStatusBar} from './applications-status-bar'; import {ApplicationsSummary} from './applications-summary'; import {ApplicationsTable} from './applications-table'; import {ApplicationTiles} from './applications-tiles'; @@ -159,6 +159,13 @@ const ViewPref = ({children}: {children: (pref: AppsListPreferences & {page: num .map(decodeURIComponent) .filter(item => !!item); } + if (params.get('annotations') != null) { + viewPref.annotationsFilter = params + .get('annotations') + .split(',') + .map(decodeURIComponent) + .filter(item => !!item); + } return {...viewPref, page: parseInt(params.get('page') || '0', 10), search: params.get('search') || ''}; }) ) @@ -168,18 +175,36 @@ const ViewPref = ({children}: {children: (pref: AppsListPreferences & {page: num ); }; -function filterApps(applications: models.Application[], pref: AppsListPreferences, search: string): {filteredApps: models.Application[]; filterResults: FilteredApp[]} { - applications = applications.map(app => { +function filterApplications(applications: models.Application[], pref: AppsListPreferences, search: string): {filteredApps: models.Application[]; filterResults: FilteredApp[]} { + const processedApps = applications.map(app => { let isAppOfAppsPattern = false; - for (const resource of app.status.resources) { - if (resource.kind === 'Application') { - isAppOfAppsPattern = true; - break; + if (app.status?.resources) { + for (const resource of app.status.resources) { + if (resource.kind === 'Application') { + isAppOfAppsPattern = true; + break; + } } } return {...app, isAppOfAppsPattern}; }); - const filterResults = getFilterResults(applications, pref); + const filterResults = getAppFilterResults(processedApps, pref); + + return { + filterResults, + filteredApps: filterResults.filter( + app => (search === '' || app.metadata.name.includes(search) || app.metadata.namespace.includes(search)) && Object.values(app.filterResult).every(val => val) + ) + }; +} + +function filterApplicationSets( + appSets: models.ApplicationSet[], + pref: AppSetsListPreferences, + search: string +): {filteredApps: models.ApplicationSet[]; filterResults: ApplicationSetFilteredApp[]} { + const filterResults = getAppSetFilterResults(appSets, pref); + return { filterResults, filteredApps: filterResults.filter( @@ -196,8 +221,8 @@ function tryJsonParse(input: string) { } } -const SearchBar = (props: {content: string; ctx: ContextApis; apps: models.Application[]}) => { - const {content, ctx, apps} = {...props}; +const SearchBar = (props: {content: string; ctx: ContextApis; apps: models.AbstractApplication[]; isListOfApplications: boolean}) => { + const {content, ctx, apps, isListOfApplications} = {...props}; const searchBar = React.useRef(null); @@ -256,7 +281,7 @@ const SearchBar = (props: {content: string; ctx: ContextApis; apps: models.Appli }} style={{fontSize: '14px'}} className='argo-field' - placeholder='Search applications...' + placeholder={isListOfApplications ? 'Search applications...' : 'Search application sets...'} />
    /
    {content && ( @@ -287,19 +312,20 @@ const SearchBar = (props: {content: string; ctx: ContextApis; apps: models.Appli }; interface ApplicationsToolbarProps { - applications: models.Application[]; + applications: models.AbstractApplication[]; pref: AppsListPreferences & {page: number; search: string}; ctx: ContextApis; healthBarPrefs: HealthStatusBarPreferences; + isListOfApplications: boolean; } -const ApplicationsToolbar: React.FC = ({applications, pref, ctx, healthBarPrefs}) => { +const ApplicationsToolbar: React.FC = ({applications, pref, ctx, healthBarPrefs, isListOfApplications}) => { const {List, Summary, Tiles} = AppsListViewKey; const query = useQuery(); return ( - +
    )}> - {(applications: models.Application[]) => { + {(applications: models.AbstractApplication[]) => { const healthBarPrefs = pref.statusBarView || ({} as HealthStatusBarPreferences); - const {filteredApps, filterResults} = filterApps(applications, pref, pref.search); const handleCreatePanelClose = async () => { const outsideDiv = document.querySelector('.sliding-panel__outside'); const closeButton = document.querySelector('.sliding-panel__close'); @@ -489,76 +539,290 @@ export const ApplicationsList = (props: RouteComponentProps & {objectListKi ctx.navigation.goto('.', {new: null}, {replace: true}); } }; - return ( - - , - actionMenu: { - items: [ - { - title: 'New App', - iconClassName: 'fa fa-plus', - qeId: 'applications-list-button-new-app', - action: () => ctx.navigation.goto('.', {new: '{}'}, {replace: true}) - }, - { - title: 'Sync Apps', - iconClassName: 'fa fa-sync', - action: () => ctx.navigation.goto('.', {syncApps: true}, {replace: true}) - }, - { - title: 'Refresh Apps', - iconClassName: 'fa fa-redo', - action: () => ctx.navigation.goto('.', {refreshApps: true}, {replace: true}) - } - ] - } - }} - /> -
    - {applications.length === 0 && pref.projectsFilter?.length === 0 && (pref.labelsFilter || []).length === 0 ? ( - -

    No applications available to you just yet

    -
    Create new application to start managing resources in your cluster
    - -     - ) : ( - <> - {ReactDOM.createPortal( - services.viewPreferences.getPreferences()}> - {allpref => ( - onFilterPrefChanged(ctx, newPrefs)} - pref={pref} - collapsed={allpref.hideSidebar} - /> - )} - , - sidebarTarget?.current - )} - {(pref.view === 'summary' && ) || ( + if (isListOfApplications) { + // Applications path - fully type-safe + const apps = applications as models.Application[]; + const {filteredApps, filterResults} = filterApplications(apps, pref, pref.search); + + return ( + + + ), + actionMenu: { + items: [ + { + title: 'New App', + iconClassName: 'fa fa-plus', + qeId: 'applications-list-button-new-app', + action: () => ctx.navigation.goto('.', {new: '{}'}, {replace: true}) + }, + { + title: 'Sync Apps', + iconClassName: 'fa fa-sync', + action: () => ctx.navigation.goto('.', {syncApps: true}, {replace: true}) + }, + { + title: 'Refresh Apps', + iconClassName: 'fa fa-redo', + action: () => ctx.navigation.goto('.', {refreshApps: true}, {replace: true}) + } + ] + } + }} + /> +
    + {apps.length === 0 && pref.projectsFilter?.length === 0 && (pref.labelsFilter || []).length === 0 ? ( + +

    No applications available to you just yet

    +
    Create new application to start managing resources in your cluster
    + +     + ) : ( + <> + {ReactDOM.createPortal( + services.viewPreferences.getPreferences()}> + {allpref => ( + onAppFilterPrefChanged(ctx, newPrefs)} + pref={pref} + collapsed={allpref.hideSidebar} + /> + )} + , + sidebarTarget?.current + )} + + {(pref.view === 'summary' && ) || ( + 1 && } + showHeader={healthBarPrefs.showHealthStatusBar} + preferencesKey='applications-list' + page={pref.page} + emptyState={() => ( + +

    No matching applications found

    +
    + Change filter criteria or  + { + AppsListPreferences.clearFilters(pref); + onAppFilterPrefChanged(ctx, pref); + }}> + clear filters + +
    +     + )} + sortOptions={[ + { + title: 'Name', + compare: (a, b) => a.metadata.name.localeCompare(b.metadata.name, undefined, {numeric: true}) + }, + { + title: 'Created At', + compare: (b, a) => a.metadata.creationTimestamp.localeCompare(b.metadata.creationTimestamp) + }, + { + title: 'Synchronized', + compare: (b, a) => + a.status.operationState?.finishedAt?.localeCompare(b.status.operationState?.finishedAt) + } + ]} + data={filteredApps} + onPageChange={page => ctx.navigation.goto('.', {page})}> + {data => + (pref.view === 'tiles' && ( + + ctx.navigation.goto('.', {syncApp: appName, appNamespace}, {replace: true}) + } + refreshApplication={refreshApp} + deleteApplication={(appName, appNamespace) => + AppUtils.deleteApplication(appName, appNamespace, ctx) + } + /> + )) || ( + + ctx.navigation.goto('.', {syncApp: appName, appNamespace}, {replace: true}) + } + refreshApplication={refreshApp} + deleteApplication={(appName, appNamespace) => + AppUtils.deleteApplication(appName, appNamespace, ctx) + } + /> + ) + } +     + )} + + )} + ctx.navigation.goto('.', {syncApps: null}, {replace: true})} + apps={filteredApps} + /> + ctx.navigation.goto('.', {refreshApps: null}, {replace: true})} + apps={filteredApps} + /> +
    + + observableQuery$.pipe( + mergeMap(params => { + const syncApp = params.get('syncApp'); + const appNamespace = params.get('appNamespace'); + return (syncApp && from(services.applications.get(syncApp, appNamespace, objectListKind))) || from([null]); + }) + ) + }> + {app => ( + ctx.navigation.goto('.', {syncApp: null}, {replace: true})} + /> + )} + + handleCreatePanelClose()} + header={ +
    + {' '} + +
    + }> + {appInput && ( + { + setCreateApi(api); + }} + createApp={async app => { + setAppCreatePending(true); + try { + await services.applications.create(app); + ctx.navigation.goto('.', {new: null}, {replace: true}); + } catch (e) { + ctx.notifications.show({ + content: , + type: NotificationType.Error + }); + } finally { + setAppCreatePending(false); + } + }} + app={appInput} + onAppChanged={app => ctx.navigation.goto('.', {new: JSON.stringify(app)}, {replace: true})} + /> + )} +     +     + ); + } else { + // ApplicationSets path - fully type-safe + const appSets = applications as models.ApplicationSet[]; + const appSetPref: AppSetsListPreferences = { + labelsFilter: pref.labelsFilter, + healthFilter: pref.healthFilter, + showFavorites: pref.showFavorites, + favoritesAppList: pref.favoritesAppList, + view: pref.view, + hideFilters: pref.hideFilters, + statusBarView: pref.statusBarView, + annotationsFilter: pref.annotationsFilter + }; + const {filteredApps, filterResults} = filterApplicationSets(appSets, appSetPref, pref.search); + + return ( + + + ), + actionMenu: { + items: [] // No action menu for ApplicationSets yet + } + }} + /> +
    + {appSets.length === 0 && (pref.labelsFilter || []).length === 0 ? ( + +

    No ApplicationSets available to you just yet

    +
    ApplicationSets will appear here once created
    +     + ) : ( + <> + {ReactDOM.createPortal( + services.viewPreferences.getPreferences()}> + {allpref => ( + onAppSetFilterPrefChanged(ctx, newPrefs)} + pref={appSetPref} + collapsed={allpref.hideSidebar} + /> + )} + , + sidebarTarget?.current + )} + 1 && } + header={filteredApps.length > 1 && } showHeader={healthBarPrefs.showHealthStatusBar} preferencesKey='applications-list' page={pref.page} emptyState={() => ( -

    No matching applications found

    +

    No matching application sets found

    Change filter criteria or  { - AppsListPreferences.clearFilters(pref); - onFilterPrefChanged(ctx, pref); + AppSetsListPreferences.clearFilters(appSetPref); + onAppSetFilterPrefChanged(ctx, appSetPref); }}> clear filters @@ -573,11 +837,6 @@ export const ApplicationsList = (props: RouteComponentProps & {objectListKi { title: 'Created At', compare: (b, a) => a.metadata.creationTimestamp.localeCompare(b.metadata.creationTimestamp) - }, - { - title: 'Synchronized', - compare: (b, a) => - a.status.operationState?.finishedAt?.localeCompare(b.status.operationState?.finishedAt) } ]} data={filteredApps} @@ -586,110 +845,26 @@ export const ApplicationsList = (props: RouteComponentProps & {objectListKi (pref.view === 'tiles' && ( - ctx.navigation.goto('.', {syncApp: appName, appNamespace}, {replace: true}) - } - refreshApplication={refreshApp} - deleteApplication={(appName, appNamespace) => - AppUtils.deleteApplication(appName, appNamespace, ctx) - } + syncApplication={() => {}} + refreshApplication={() => {}} + deleteApplication={() => {}} /> )) || ( - ctx.navigation.goto('.', {syncApp: appName, appNamespace}, {replace: true}) - } - refreshApplication={refreshApp} - deleteApplication={(appName, appNamespace) => - AppUtils.deleteApplication(appName, appNamespace, ctx) - } + syncApplication={() => {}} + refreshApplication={() => {}} + deleteApplication={() => {}} /> ) } - )} - - )} - ctx.navigation.goto('.', {syncApps: null}, {replace: true})} - apps={filteredApps} - /> - ctx.navigation.goto('.', {refreshApps: null}, {replace: true})} - apps={filteredApps} - /> -
    - - observableQuery$.pipe( - mergeMap(params => { - const syncApp = params.get('syncApp'); - const appNamespace = params.get('appNamespace'); - return (syncApp && from(services.applications.get(syncApp, appNamespace, objectListKind))) || from([null]); - }) - ) - }> - {app => ( - ctx.navigation.goto('.', {syncApp: null}, {replace: true})} - /> - )} - - handleCreatePanelClose()} //Separate handling for outside click. - header={ -
    - {' '} - -
    - }> - {appInput && ( - { - setCreateApi(api); - }} - createApp={async app => { - setAppCreatePending(true); - try { - await services.applications.create(app); - ctx.navigation.goto('.', {new: null}, {replace: true}); - } catch (e) { - ctx.notifications.show({ - content: , - type: NotificationType.Error - }); - } finally { - setAppCreatePending(false); - } - }} - app={appInput} - onAppChanged={app => ctx.navigation.goto('.', {new: JSON.stringify(app)}, {replace: true})} - /> - )} -     -     - ); + + )} +
    +     + ); + } }} diff --git a/ui/src/app/applications/components/applications-list/applications-status-bar.tsx b/ui/src/app/applications/components/applications-list/applications-status-bar.tsx index d1b4f8a460..3fe2fef1d5 100644 --- a/ui/src/app/applications/components/applications-list/applications-status-bar.tsx +++ b/ui/src/app/applications/components/applications-list/applications-status-bar.tsx @@ -3,15 +3,18 @@ import * as React from 'react'; import {COLORS} from '../../../shared/components'; import {Consumer} from '../../../shared/context'; import * as models from '../../../shared/models'; +import {getAppSetHealthStatus} from '../utils'; import './applications-status-bar.scss'; -export interface ApplicationsStatusBarProps { - applications: models.Application[]; +interface Reading { + name: string; + value: number; + color: string; } -export const ApplicationsStatusBar = ({applications}: ApplicationsStatusBarProps) => { - const readings = [ +function getAppReadings(applications: models.Application[]): Reading[] { + return [ { name: 'Healthy', value: applications.filter(app => app.status.health.status === 'Healthy').length, @@ -43,11 +46,38 @@ export const ApplicationsStatusBar = ({applications}: ApplicationsStatusBarProps color: COLORS.health.unknown } ]; +} +function getAppSetReadings(appSets: models.ApplicationSet[]): Reading[] { + return [ + { + name: 'Healthy', + value: appSets.filter(appSet => getAppSetHealthStatus(appSet) === 'Healthy').length, + color: COLORS.health.healthy + }, + { + name: 'Progressing', + value: appSets.filter(appSet => getAppSetHealthStatus(appSet) === 'Progressing').length, + color: COLORS.health.progressing + }, + { + name: 'Degraded', + value: appSets.filter(appSet => getAppSetHealthStatus(appSet) === 'Degraded').length, + color: COLORS.health.degraded + }, + { + name: 'Unknown', + value: appSets.filter(appSet => getAppSetHealthStatus(appSet) === 'Unknown').length, + color: COLORS.health.unknown + } + ]; +} + +function StatusBarRenderer({readings}: {readings: Reading[]}) { // will sort readings by value greatest to lowest, then by name - readings.sort((a, b) => (a.value < b.value ? 1 : a.value === b.value ? (a.name > b.name ? 1 : -1) : -1)); + const sortedReadings = [...readings].sort((a, b) => (a.value < b.value ? 1 : a.value === b.value ? (a.name > b.name ? 1 : -1) : -1)); - const totalItems = readings.reduce((total, i) => { + const totalItems = sortedReadings.reduce((total, i) => { return total + i.value; }, 0); @@ -57,9 +87,9 @@ export const ApplicationsStatusBar = ({applications}: ApplicationsStatusBarProps <> {totalItems > 1 && (
    - {readings && - readings.length > 1 && - readings.map((item, i) => { + {sortedReadings && + sortedReadings.length > 1 && + sortedReadings.map((item, i) => { if (item.value > 0) { return (
    @@ -76,4 +106,35 @@ export const ApplicationsStatusBar = ({applications}: ApplicationsStatusBarProps )} ); +} + +export interface AppsStatusBarProps { + applications: models.Application[]; +} + +export const AppsStatusBar = ({applications}: AppsStatusBarProps) => { + if (!applications || applications.length === 0) { + return null; + } + return ; +}; + +export interface AppSetsStatusBarProps { + appSets: models.ApplicationSet[]; +} + +export const AppSetsStatusBar = ({appSets}: AppSetsStatusBarProps) => { + if (!appSets || appSets.length === 0) { + return null; + } + return ; +}; + +// Legacy wrapper for backwards compatibility (callers should migrate to AppsStatusBar or AppSetsStatusBar) +export interface ApplicationsStatusBarProps { + applications: models.Application[]; +} + +export const ApplicationsStatusBar = ({applications}: ApplicationsStatusBarProps) => { + return ; }; diff --git a/ui/src/app/applications/components/applications-list/applications-table.tsx b/ui/src/app/applications/components/applications-list/applications-table.tsx index 1d1b0ac420..76a94f07a0 100644 --- a/ui/src/app/applications/components/applications-list/applications-table.tsx +++ b/ui/src/app/applications/components/applications-list/applications-table.tsx @@ -1,20 +1,18 @@ -import {DataLoader, DropDownMenu, Tooltip} from 'argo-ui'; +import {DataLoader} from 'argo-ui'; import * as React from 'react'; -import Moment from 'react-moment'; import {Key, KeybindingContext, useNav} from 'argo-ui/v2'; -import {Cluster} from '../../../shared/components'; import {Consumer, Context} from '../../../shared/context'; import * as models from '../../../shared/models'; -import {ApplicationURLs} from '../application-urls'; import * as AppUtils from '../utils'; -import {getAppDefaultSource, OperationState, getApplicationLinkURL, getManagedByURL} from '../utils'; -import {ApplicationsLabels} from './applications-labels'; -import {ApplicationsSource} from './applications-source'; +import {isApp} from '../utils'; import {services} from '../../../shared/services'; +import {ApplicationTableRow} from './application-table-row'; +import {AppSetTableRow} from './appset-table-row'; + import './applications-table.scss'; export const ApplicationsTable = (props: { - applications: models.Application[]; + applications: models.AbstractApplication[]; syncApplication: (appName: string, appNamespace: string) => any; refreshApplication: (appName: string, appNamespace: string) => any; deleteApplication: (appName: string, appNamespace: string) => any; @@ -48,149 +46,26 @@ export const ApplicationsTable = (props: { {ctx => ( services.viewPreferences.getPreferences()}> - {pref => { - const favList = pref.appList.favoritesAppList || []; - return ( -
    - {props.applications.map((app, i) => { - return ( -
    -
    ctx.navigation.goto(`/${AppUtils.getAppUrl(app)}`, {}, {event: e})}> -
    -
    -
    -
    - - - - -
    -
    -
    Project:
    -
    {app.spec.project}
    -
    -
    -
    -
    Name:
    -
    - - {app.metadata.name} -
    - - {app.metadata.creationTimestamp} - - - }> - {app.metadata.name} -     - {/* External link icon for managed-by-url */} - {(() => { - const linkInfo = getApplicationLinkURL(app, ctx.baseHref); - return ( - - ); - })()} -
    -
    -
    - -
    -
    -
    Source:
    -
    -
    - -
    -
    - -
    -
    -
    -
    -
    Destination:
    -
    - /{app.spec.destination.namespace} -
    -
    -
    - -
    - {app.status.health.status}
    - {app.status.sourceHydrator?.currentOperation && ( - <> - {' '} - {app.status.sourceHydrator.currentOperation.phase}
    - - )} - - {app.status.sync.status} - ( - - )} - items={[ - { - title: 'Sync', - iconClassName: 'fa fa-fw fa-sync', - action: () => props.syncApplication(app.metadata.name, app.metadata.namespace) - }, - { - title: 'Refresh', - iconClassName: 'fa fa-fw fa-redo', - action: () => props.refreshApplication(app.metadata.name, app.metadata.namespace) - }, - { - title: 'Delete', - iconClassName: 'fa fa-fw fa-times-circle', - action: () => props.deleteApplication(app.metadata.name, app.metadata.namespace) - } - ]} - /> -
    -
    -
    - ); - })} -
    - ); - }} + {pref => ( +
    + {props.applications.map((app, i) => + isApp(app) ? ( + + ) : ( + + ) + )} +
    + )} )} diff --git a/ui/src/app/applications/components/applications-list/applications-tiles.tsx b/ui/src/app/applications/components/applications-list/applications-tiles.tsx index f0a45e6537..0e91f914f1 100644 --- a/ui/src/app/applications/components/applications-list/applications-tiles.tsx +++ b/ui/src/app/applications/components/applications-list/applications-tiles.tsx @@ -1,19 +1,18 @@ -import {DataLoader, Tooltip} from 'argo-ui'; -import * as classNames from 'classnames'; +import {DataLoader} from 'argo-ui'; import * as React from 'react'; import {Key, KeybindingContext, NumKey, NumKeyToNumber, NumPadKey, useNav} from 'argo-ui/v2'; -import {Cluster} from '../../../shared/components'; -import {Consumer, Context, AuthSettingsCtx} from '../../../shared/context'; +import {Consumer, Context} from '../../../shared/context'; import * as models from '../../../shared/models'; -import {ApplicationURLs} from '../application-urls'; import * as AppUtils from '../utils'; -import {getAppDefaultSource, OperationState, getApplicationLinkURL, getManagedByURL} from '../utils'; +import {isApp} from '../utils'; import {services} from '../../../shared/services'; +import {ApplicationTile} from './application-tile'; +import {AppSetTile} from './appset-tile'; import './applications-tiles.scss'; export interface ApplicationTilesProps { - applications: models.Application[]; + applications: models.AbstractApplication[]; syncApplication: (appName: string, appNamespace: string) => any; refreshApplication: (appName: string, appNamespace: string) => any; deleteApplication: (appName: string, appNamespace: string) => any; @@ -50,10 +49,9 @@ export const ApplicationTiles = ({applications, syncApplication, refreshApplicat const [selectedApp, navApp, reset] = useNav(applications.length); const ctxh = React.useContext(Context); - const appRef = {ref: React.useRef(null), set: false}; + const firstTileRef = React.useRef(null); const appContainerRef = React.useRef(null); - const appsPerRow = useItemsPerContainer(appRef.ref, appContainerRef); - const useAuthSettingsCtx = React.useContext(AuthSettingsCtx); + const appsPerRow = useItemsPerContainer(firstTileRef, appContainerRef); const {useKeybinding} = React.useContext(KeybindingContext); @@ -98,243 +96,39 @@ export const ApplicationTiles = ({applications, syncApplication, refreshApplicat return navApp(NumKeyToNumber(n)); } }); + return ( {ctx => ( services.viewPreferences.getPreferences()}> - {pref => { - const favList = pref.appList.favoritesAppList || []; - return ( -
    - {applications.map((app, i) => { - const source = getAppDefaultSource(app); - const isOci = source?.repoURL?.startsWith('oci://'); - const targetRevision = source ? source.targetRevision || 'HEAD' : 'Unknown'; - const linkInfo = getApplicationLinkURL(app, ctx.baseHref); - return ( -
    -
    ctx.navigation.goto(`/${AppUtils.getAppUrl(app)}`, {view: pref.appDetails.view}, {event: e})}> -
    -
    -
    0 ? 'columns small-10' : 'columns small-11'}> - - - - {AppUtils.appQualifiedName(app, useAuthSettingsCtx?.appsInAnyNamespaceEnabled)} - - -
    -
    0 ? 'columns small-2' : 'columns small-1'}> -
    - - - -
    -
    -
    -
    -
    - Project: -
    -
    {app.spec.project}
    -
    -
    -
    - Labels: -
    -
    - - {Object.keys(app.metadata.labels || {}) - .map(label => ({label, value: app.metadata.labels[label]})) - .map(item => ( -
    - {item.label}={item.value} -
    - ))} -
    - }> - - {Object.keys(app.metadata.labels || {}) - .map(label => `${label}=${app.metadata.labels[label]}`) - .join(', ')} - - -
    -
    -
    -
    - Status: -
    -
    - {app.status.health.status} -   - {app.status.sourceHydrator?.currentOperation && ( - <> - {' '} - {app.status.sourceHydrator.currentOperation.phase} -   - - )} - {app.status.sync.status} -   - -
    -
    -
    -
    - Repository: -
    -
    - - {source?.repoURL} - -
    -
    -
    -
    - Target Revision: -
    -
    {targetRevision}
    -
    - {source?.path && ( -
    -
    - Path: -
    -
    {source?.path}
    -
    - )} - {source?.chart && ( -
    -
    - Chart: -
    -
    {source?.chart}
    -
    - )} -
    -
    - Destination: -
    -
    - -
    -
    -
    -
    - Namespace: -
    -
    {app.spec.destination.namespace}
    -
    -
    -
    - Created At: -
    -
    {AppUtils.formatCreationTimestamp(app.metadata.creationTimestamp)}
    -
    - {app.status.operationState && ( -
    -
    - Last Sync: -
    -
    - {AppUtils.formatCreationTimestamp(app.status.operationState.finishedAt || app.status.operationState.startedAt)} -
    -
    - )} - -
    -
    -
    - ); - })} -
    - ); - }} + {pref => ( +
    + {applications.map((app, i) => + isApp(app) ? ( + + ) : ( + + ) + )} +
    + )}     )}     diff --git a/ui/src/app/applications/components/applications-list/appset-table-row.tsx b/ui/src/app/applications/components/applications-list/appset-table-row.tsx new file mode 100644 index 0000000000..e01e64a5ae --- /dev/null +++ b/ui/src/app/applications/components/applications-list/appset-table-row.tsx @@ -0,0 +1,100 @@ +import {Tooltip} from 'argo-ui'; +import * as React from 'react'; +import Moment from 'react-moment'; +import {ContextApis} from '../../../shared/context'; +import * as models from '../../../shared/models'; +import * as AppUtils from '../utils'; +import {getApplicationLinkURL, getManagedByURL, getAppSetHealthStatus} from '../utils'; +import {services} from '../../../shared/services'; +import {ViewPreferences} from '../../../shared/services'; + +export interface AppSetTableRowProps { + appSet: models.ApplicationSet; + selected: boolean; + pref: ViewPreferences; + ctx: ContextApis; +} + +export const AppSetTableRow = ({appSet, selected, pref, ctx}: AppSetTableRowProps) => { + const favList = pref.appList.favoritesAppList || []; + const healthStatus = getAppSetHealthStatus(appSet); + const linkInfo = getApplicationLinkURL(appSet, ctx.baseHref); + + const handleFavoriteToggle = (e: React.MouseEvent) => { + e.stopPropagation(); + if (favList?.includes(appSet.metadata.name)) { + favList.splice(favList.indexOf(appSet.metadata.name), 1); + } else { + favList.push(appSet.metadata.name); + } + services.viewPreferences.updatePreferences({appList: {...pref.appList, favoritesAppList: favList}}); + }; + + const handleExternalLinkClick = (e: React.MouseEvent) => { + e.stopPropagation(); + if (linkInfo.isExternal) { + window.open(linkInfo.url, '_blank', 'noopener,noreferrer'); + } else { + ctx.navigation.goto(`/${AppUtils.getAppUrl(appSet)}`); + } + }; + + return ( +
    +
    ctx.navigation.goto(`/${AppUtils.getAppUrl(appSet)}`, {}, {event: e})}> + {/* First column: Favorite, Kind, Name */} +
    +
    +
    +
    + + + +
    +
    +
    Kind:
    +
    ApplicationSet
    +
    +
    +
    +
    Name:
    +
    + + {appSet.metadata.name} +
    + + {appSet.metadata.creationTimestamp} + + + }> + {appSet.metadata.name} +     + +
    +
    +
    + + {/* Status column (takes remaining space since no Source/Destination for AppSets) */} +
    + {healthStatus} +
    +
    +
    + ); +}; diff --git a/ui/src/app/applications/components/applications-list/appset-tile.tsx b/ui/src/app/applications/components/applications-list/appset-tile.tsx new file mode 100644 index 0000000000..224d8e0b3e --- /dev/null +++ b/ui/src/app/applications/components/applications-list/appset-tile.tsx @@ -0,0 +1,138 @@ +import {Tooltip} from 'argo-ui'; +import * as React from 'react'; +import {ContextApis, AuthSettingsCtx} from '../../../shared/context'; +import * as models from '../../../shared/models'; +import * as AppUtils from '../utils'; +import {getApplicationLinkURL, getManagedByURL, getAppSetHealthStatus} from '../utils'; +import {services} from '../../../shared/services'; +import {ViewPreferences} from '../../../shared/services'; +import {ResourceIcon} from '../resource-icon'; + +export interface AppSetTileProps { + appSet: models.ApplicationSet; + selected: boolean; + pref: ViewPreferences; + ctx: ContextApis; + tileRef?: React.RefObject; +} + +export const AppSetTile = ({appSet, selected, pref, ctx, tileRef}: AppSetTileProps) => { + const useAuthSettingsCtx = React.useContext(AuthSettingsCtx); + const favList = pref.appList.favoritesAppList || []; + + const linkInfo = getApplicationLinkURL(appSet, ctx.baseHref); + const healthStatus = getAppSetHealthStatus(appSet); + + const handleFavoriteToggle = (e: React.MouseEvent) => { + e.stopPropagation(); + if (favList?.includes(appSet.metadata.name)) { + favList.splice(favList.indexOf(appSet.metadata.name), 1); + } else { + favList.push(appSet.metadata.name); + } + services.viewPreferences.updatePreferences({appList: {...pref.appList, favoritesAppList: favList}}); + }; + + const handleExternalLinkClick = (e: React.MouseEvent) => { + e.stopPropagation(); + if (linkInfo.isExternal) { + window.open(linkInfo.url, '_blank', 'noopener,noreferrer'); + } else { + ctx.navigation.goto(`/${AppUtils.getAppUrl(appSet)}`); + } + }; + + return ( +
    +
    ctx.navigation.goto(`/${AppUtils.getAppUrl(appSet)}`, {view: pref.appDetails.view}, {event: e})}> +
    + {/* Header row with icon, title, and action buttons */} +
    +
    + + + {AppUtils.appQualifiedName(appSet, useAuthSettingsCtx?.appsInAnyNamespaceEnabled)} + +
    +
    +
    + + +
    +
    +
    + + {/* Labels row */} +
    +
    + Labels: +
    +
    + + {Object.keys(appSet.metadata.labels || {}) + .map(label => ({label, value: appSet.metadata.labels[label]})) + .map(item => ( +
    + {item.label}={item.value} +
    + ))} +
    + }> + + {Object.keys(appSet.metadata.labels || {}) + .map(label => `${label}=${appSet.metadata.labels[label]}`) + .join(', ')} + + +
    +
    + + {/* Status row */} +
    +
    + Status: +
    +
    + {healthStatus} +
    +
    + + {/* Applications count row */} +
    +
    + Applications: +
    +
    {appSet.status?.resourcesCount ?? appSet.status?.resources?.length ?? 0}
    +
    + + {/* Created At row */} +
    +
    + Created At: +
    +
    {AppUtils.formatCreationTimestamp(appSet.metadata.creationTimestamp)}
    +
    +
    +
    +
    + ); +}; diff --git a/ui/src/app/applications/components/filter/filter.tsx b/ui/src/app/applications/components/filter/filter.tsx index 80423807bd..b174800728 100644 --- a/ui/src/app/applications/components/filter/filter.tsx +++ b/ui/src/app/applications/components/filter/filter.tsx @@ -145,12 +145,8 @@ export const Filter = (props: FilterProps) => { } }, [props.selected.length]); - const totalCount = options.reduce((countSum, option) => { - return countSum + option.count; - }, 0); - return ( -
    +
    {props.label || 'FILTER'} diff --git a/ui/src/app/applications/components/pod-logs-viewer/download-logs-button.tsx b/ui/src/app/applications/components/pod-logs-viewer/download-logs-button.tsx index a88658d4d8..467b1cfd3b 100644 --- a/ui/src/app/applications/components/pod-logs-viewer/download-logs-button.tsx +++ b/ui/src/app/applications/components/pod-logs-viewer/download-logs-button.tsx @@ -3,13 +3,17 @@ import * as React from 'react'; import {PodLogsProps} from './pod-logs-viewer'; import {Button} from '../../../shared/components/button'; +interface DownloadLogsButtonProps extends PodLogsProps { + previous?: boolean; +} + // DownloadLogsButton is a button that downloads the logs to a file -export const DownloadLogsButton = ({applicationName, applicationNamespace, containerName, group, kind, name, namespace, podName}: PodLogsProps) => ( +export const DownloadLogsButton = ({applicationName, applicationNamespace, containerName, group, kind, name, namespace, podName, previous}: DownloadLogsButtonProps) => ( {' '} - - - )} - - )) || ( - - )} -
    - )} - { - this.model = api.getModel() as monacoEditor.editor.ITextModel; - } - }} - /> -
    - ); - } +interface YamlEditorProps { + input: T; + hideModeButtons?: boolean; + initialEditMode?: boolean; + vScrollbar?: boolean; + enableWordWrap?: boolean; + onSave?: (patch: string, patchType: string) => Promise; + onCancel?: () => any; + minHeight?: number; +} + +export function YamlEditor(props: YamlEditorProps) { + const ctx = useContext(Context); + const [editing, setEditing] = useState(!!props.initialEditMode); + const modelRef = useRef(null); + + const yamlText = props.input ? jsYaml.dump(props.input) : ''; + + const handleSave = async () => { + try { + const updated = jsYaml.load(modelRef.current!.getLinesContent().join('\n')); + const patch = jsonMergePatch.generate(props.input, updated); + try { + const unmounted = await props.onSave?.(JSON.stringify(patch || {}), 'application/merge-patch+json'); + if (unmounted !== true) { + setEditing(false); + } + } catch (e) { + ctx.notifications.show({ + content: ( +
    + +
    + ), + type: NotificationType.Error + }); + } + } catch (e) { + ctx.notifications.show({ + content: , + type: NotificationType.Error + }); + } + }; + + const handleCancel = () => { + modelRef.current?.setValue(jsYaml.dump(props.input)); + setEditing(false); + props.onCancel?.(); + }; + + return ( +
    + {!props.hideModeButtons && ( +
    + {editing ? ( + <> + {' '} + + + ) : ( + + )} +
    + )} + { + modelRef.current = api.getModel() as monacoEditor.editor.ITextModel; + } + }} + /> +
    + ); } diff --git a/ui/src/app/shared/models.ts b/ui/src/app/shared/models.ts index f8d0e1902f..e4d7da718b 100644 --- a/ui/src/app/shared/models.ts +++ b/ui/src/app/shared/models.ts @@ -262,7 +262,11 @@ export interface SourceHydrator { export interface DrySource { repoURL: string; targetRevision: string; - path: string; + path?: string; + helm?: ApplicationSourceHelm; + kustomize?: ApplicationSourceKustomize; + plugin?: ApplicationSourcePlugin; + directory?: ApplicationSourceDirectory; } export interface SyncSource { @@ -1170,5 +1174,6 @@ export interface ApplicationSet extends AbstractApplication { targetRevisions?: string[]; }>; resources?: ApplicationSetResource[]; + resourcesCount?: number; }; } diff --git a/ui/src/app/shared/services/applications-service.ts b/ui/src/app/shared/services/applications-service.ts index 7cb3ebceb3..ddce0ae6e4 100644 --- a/ui/src/app/shared/services/applications-service.ts +++ b/ui/src/app/shared/services/applications-service.ts @@ -1,6 +1,6 @@ import * as deepMerge from 'deepmerge'; import {Observable} from 'rxjs'; -import {map, repeat, retry} from 'rxjs/operators'; +import {filter, map, repeat, retry} from 'rxjs/operators'; import * as models from '../models'; import {isValidURL} from '../utils'; @@ -14,11 +14,18 @@ interface QueryOptions { appNamespace?: string; } -function optionsToSearch(options?: QueryOptions) { +function optionsToSearch(options?: QueryOptions): {fields?: string; selector: string; appNamespace: string} { if (options) { - return {fields: (options.exclude ? '-' : '') + options.fields.join(','), selector: options.selector || '', appNamespace: options.appNamespace || ''}; + const result: {fields?: string; selector: string; appNamespace: string} = { + selector: options.selector || '', + appNamespace: options.appNamespace || '' + }; + if (options.fields) { + result.fields = (options.exclude ? '-' : '') + options.fields.join(','); + } + return result; } - return {}; + return {selector: '', appNamespace: ''}; } function getQuery(projects: string[], isListOfApplications: boolean, options?: QueryOptions): any { @@ -287,9 +294,10 @@ export class ApplicationsService { namespace: string, podName: string, resource: {group: string; kind: string; name: string}, - containerName: string + containerName: string, + previous: boolean ): string { - const search = this.getLogsQuery({namespace, appNamespace, podName, resource, containerName, follow: false}); + const search = this.getLogsQuery({namespace, appNamespace, podName, resource, containerName, follow: false, previous}); search.set('download', 'true'); return `api/v1/applications/${applicationName}/logs?${search.toString()}`; } @@ -311,7 +319,17 @@ export class ApplicationsService { }): Observable { const {applicationName} = query; const search = this.getLogsQuery(query); - const entries = requests.loadEventSource(`/applications/${applicationName}/logs?${search.toString()}`).pipe(map(data => JSON.parse(data).result as models.LogEntry)); + const entries = requests.loadEventSource(`/applications/${applicationName}/logs?${search.toString()}`).pipe( + map(data => { + try { + const parsed = JSON.parse(data); + return parsed && parsed.result ? (parsed.result as models.LogEntry) : null; + } catch (e) { + return null; + } + }), + filter((result): result is models.LogEntry => !!result) + ); let first = true; return new Observable(observer => { const subscription = entries.subscribe( @@ -605,4 +623,11 @@ export class ApplicationsService { public async listApplicationSets(): Promise { return requests.get(`/applicationsets`).then(res => res.body as models.ApplicationSetList); } + + public appSetEvents(name: string, appNamespace: string): Promise { + return requests + .get(`/applicationsets/${name}/events`) + .query({appsetNamespace: appNamespace}) + .then(res => (res.body as models.EventList).items || []); + } } diff --git a/ui/src/app/shared/services/view-preferences-service.ts b/ui/src/app/shared/services/view-preferences-service.ts index cff4aeb74b..959d38dbd4 100644 --- a/ui/src/app/shared/services/view-preferences-service.ts +++ b/ui/src/app/shared/services/view-preferences-service.ts @@ -71,10 +71,12 @@ export class AbstractAppsListPreferences { public static clearFilters(pref: AbstractAppsListPreferences) { pref.healthFilter = []; pref.labelsFilter = []; + pref.annotationsFilter = []; pref.showFavorites = false; } public labelsFilter: string[]; + public annotationsFilter: string[]; public healthFilter: string[]; public view: AppsListViewType; public hideFilters: boolean; @@ -84,38 +86,18 @@ export class AbstractAppsListPreferences { } export class AppsListPreferences extends AbstractAppsListPreferences { - public static countEnabledFilters(pref: AppsListPreferences) { - return [ - pref.clustersFilter, - pref.healthFilter, - pref.labelsFilter, - pref.namespacesFilter, - pref.projectsFilter, - pref.reposFilter, - pref.syncFilter, - pref.operationFilter - ].reduce((count, filter) => { - if (filter && filter.length > 0) { - return count + 1; - } - return count; - }, 0); - } - public static clearFilters(pref: AppsListPreferences) { super.clearFilters(pref); pref.clustersFilter = []; pref.namespacesFilter = []; pref.projectsFilter = []; - pref.reposFilter = []; pref.syncFilter = []; pref.autoSyncFilter = []; pref.operationFilter = []; } public projectsFilter: string[]; - public reposFilter: string[]; public syncFilter: string[]; public autoSyncFilter: string[]; public namespacesFilter: string[]; @@ -124,15 +106,6 @@ export class AppsListPreferences extends AbstractAppsListPreferences { } export class AppSetsListPreferences extends AbstractAppsListPreferences { - public static countEnabledFilters(pref: AppSetsListPreferences) { - return [pref.healthFilter, pref.labelsFilter].reduce((count, filter) => { - if (filter && filter.length > 0) { - return count + 1; - } - return count; - }, 0); - } - public static clearFilters(pref: AppSetsListPreferences) { super.clearFilters(pref); } @@ -180,10 +153,10 @@ const DEFAULT_PREFERENCES: ViewPreferences = { appList: { view: 'tiles' as AppsListViewType, labelsFilter: new Array(), + annotationsFilter: new Array(), projectsFilter: new Array(), namespacesFilter: new Array(), clustersFilter: new Array(), - reposFilter: new Array(), syncFilter: new Array(), autoSyncFilter: new Array(), healthFilter: new Array(), @@ -219,7 +192,12 @@ export class ViewPreferencesService { } public updatePreferences(change: Partial) { - const nextPref = Object.assign({}, this.preferencesSubj.getValue(), change, {version: minVer}); + const current = this.preferencesSubj.getValue(); + const nextPref = Object.assign({}, current, change, {version: minVer}); + // Normalize appList to ensure all filter arrays are initialized + if (nextPref.appList) { + this.normalizeAppListPreferences(nextPref.appList); + } window.localStorage.setItem(VIEW_PREFERENCES_KEY, JSON.stringify(nextPref)); this.preferencesSubj.next(nextPref); } @@ -239,6 +217,22 @@ export class ViewPreferencesService { } else { preferences = DEFAULT_PREFERENCES; } - return deepMerge(DEFAULT_PREFERENCES, preferences); + const merged = deepMerge(DEFAULT_PREFERENCES, preferences); + // Ensure all filter arrays are initialized to prevent undefined errors + this.normalizeAppListPreferences(merged.appList); + return merged; + } + + private normalizeAppListPreferences(appList: AppsListPreferences): void { + appList.labelsFilter = appList.labelsFilter || []; + appList.annotationsFilter = appList.annotationsFilter || []; + appList.projectsFilter = appList.projectsFilter || []; + appList.namespacesFilter = appList.namespacesFilter || []; + appList.clustersFilter = appList.clustersFilter || []; + appList.syncFilter = appList.syncFilter || []; + appList.autoSyncFilter = appList.autoSyncFilter || []; + appList.healthFilter = appList.healthFilter || []; + appList.operationFilter = appList.operationFilter || []; + appList.favoritesAppList = appList.favoritesAppList || []; } } diff --git a/ui/yarn.lock b/ui/yarn.lock index 6ed4e0dac3..a7c3675370 100644 --- a/ui/yarn.lock +++ b/ui/yarn.lock @@ -1813,14 +1813,16 @@ integrity sha512-YATxVxgRqNH6nHEIsvg6k2Boc1JHI9ZbH5iWFFv/MTkchz3b1ieGDa5T0a9RznNdI0KhVbdbWSN+KWWrQZRxTw== "@types/minimatch@^3.0.3": - version "3.0.3" - resolved "https://registry.yarnpkg.com/@types/minimatch/-/minimatch-3.0.3.tgz#3dca0e3f33b200fc7d1139c0cd96c1268cadfd9d" - integrity sha512-tHq6qdbT9U1IRSGf14CL0pUlULksvY9OZ+5eEgl1N7t+OA3tGvNpxJCzuKQlsNgCVwbAs670L1vcVQi8j9HjnA== + version "3.0.5" + resolved "https://registry.yarnpkg.com/@types/minimatch/-/minimatch-3.0.5.tgz#1001cc5e6a3704b83c236027e77f2f58ea010f40" + integrity sha512-Klz949h02Gz2uZCMGwDUSDS1YBlTdDDgbWHi+81l29tQALUtvz4rAYi5uoVhE5Lagoq6DeqAUlbrHvW/mXDgdQ== "@types/node@*": - version "20.6.3" - resolved "https://registry.yarnpkg.com/@types/node/-/node-20.6.3.tgz#5b763b321cd3b80f6b8dde7a37e1a77ff9358dd9" - integrity sha512-HksnYH4Ljr4VQgEy2lTStbCKv/P590tmPe5HqOnv9Gprffgv5WXAY+Y5Gqniu0GGqeTCUdBnzC3QSrzPkBkAMA== + version "25.2.0" + resolved "https://registry.yarnpkg.com/@types/node/-/node-25.2.0.tgz#015b7d228470c1dcbfc17fe9c63039d216b4d782" + integrity sha512-DZ8VwRFUNzuqJ5khrvwMXHmvPe+zGayJhr2CDNiKB1WBE1ST8Djl00D0IC4vvNmHMdj6DlbYRIaFE7WHjlDl5w== + dependencies: + undici-types "~7.16.0" "@types/node@20.14.12": version "20.14.12" @@ -1830,24 +1832,24 @@ undici-types "~5.26.4" "@types/prop-types@*", "@types/prop-types@^15.7.5": - version "15.7.5" - resolved "https://registry.yarnpkg.com/@types/prop-types/-/prop-types-15.7.5.tgz#5f19d2b85a98e9558036f6a3cacc8819420f05cf" - integrity sha512-JCB8C6SnDoQf0cNycqd/35A7MjcnK+ZTqE7judS6o7utxUCg6imJg3QK2qzHKszlTjcj2cn+NwMB2i96ubpj7w== + version "15.7.15" + resolved "https://registry.yarnpkg.com/@types/prop-types/-/prop-types-15.7.15.tgz#e6e5a86d602beaca71ce5163fadf5f95d70931c7" + integrity sha512-F6bEyamV9jKGAFBEmlQnesRPGOQqS2+Uwi0Em15xenOxHaf2hv6L8YCVn3rPdPJOiJfPiCnLIRyvwVaqMY3MIw== "@types/qs@*": - version "6.9.7" - resolved "https://registry.yarnpkg.com/@types/qs/-/qs-6.9.7.tgz#63bb7d067db107cc1e457c303bc25d511febf6cb" - integrity sha512-FGa1F62FT09qcrueBA6qYTrJPVDzah9a+493+o2PCXsesWHIn27G98TsSMs3WPNbZIEj4+VJf6saSFpvD+3Zsw== + version "6.14.0" + resolved "https://registry.yarnpkg.com/@types/qs/-/qs-6.14.0.tgz#d8b60cecf62f2db0fb68e5e006077b9178b85de5" + integrity sha512-eOunJqu0K1923aExK6y8p6fsihYEn/BYuQ4g0CxAAgFc4b/ZLN4CrsRZ55srTdqoiLzU2B2evC+apEIxprEzkQ== "@types/range-parser@*": - version "1.2.4" - resolved "https://registry.yarnpkg.com/@types/range-parser/-/range-parser-1.2.4.tgz#cd667bcfdd025213aafb7ca5915a932590acdcdc" - integrity sha512-EEhsLsD6UsDM1yFhAvy0Cjr6VwmpMWqFBCb9w07wVugF7w9nfajxLuVmngTIpgS6svCnm6Vaw+MZhoDCKnOfsw== + version "1.2.7" + resolved "https://registry.yarnpkg.com/@types/range-parser/-/range-parser-1.2.7.tgz#50ae4353eaaddc04044279812f52c8c65857dbcb" + integrity sha512-hKormJbkJqzQGhziax5PItDUTMAM9uE2XXQmM37dyd4hVM+5aVl7oVxMVUiVQn2oCQFN/LKCZdvSM0pFRqbSmQ== "@types/react-autocomplete@^1.8.10": - version "1.8.10" - resolved "https://registry.yarnpkg.com/@types/react-autocomplete/-/react-autocomplete-1.8.10.tgz#c48d01cfdb936a9958058aba119fc09e8b5bd8e2" - integrity sha512-3pL4pHLKIKuwDArUfCg8y697tsRSNyowofZGpV8vYKoGc5Jws0jrnzqTgdUHcZew0g0UxcFO1zeXD7LG0WSggg== + version "1.8.11" + resolved "https://registry.yarnpkg.com/@types/react-autocomplete/-/react-autocomplete-1.8.11.tgz#fef4702fdb739f11ed6694c84ba9d8e4af60b4c0" + integrity sha512-JYaD/OGfVFMK5NaGOCAd25QRs4MEevapn38xvYWjwo5brxrUMo2PucYmShTfuTX99r80UtncCMDrFZ9MGIVyvQ== dependencies: "@types/react" "*" @@ -7457,9 +7459,9 @@ pure-rand@^6.0.0: integrity sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA== qs@^6.11.0, qs@~6.14.0: - version "6.14.1" - resolved "https://registry.yarnpkg.com/qs/-/qs-6.14.1.tgz#a41d85b9d3902f31d27861790506294881871159" - integrity sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ== + version "6.14.2" + resolved "https://registry.yarnpkg.com/qs/-/qs-6.14.2.tgz#b5634cf9d9ad9898e31fba3504e866e8efb6798c" + integrity sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q== dependencies: side-channel "^1.1.0" @@ -9140,6 +9142,11 @@ undici-types@~5.26.4: resolved "https://registry.yarnpkg.com/undici-types/-/undici-types-5.26.5.tgz#bcd539893d00b56e964fd2657a4866b221a65617" integrity sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA== +undici-types@~7.16.0: + version "7.16.0" + resolved "https://registry.yarnpkg.com/undici-types/-/undici-types-7.16.0.tgz#ffccdff36aea4884cbfce9a750a0580224f58a46" + integrity sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw== + unicode-canonical-property-names-ecmascript@^1.0.4: version "1.0.4" resolved "https://registry.yarnpkg.com/unicode-canonical-property-names-ecmascript/-/unicode-canonical-property-names-ecmascript-1.0.4.tgz#2619800c4c825800efdd8343af7dd9933cbe2818" diff --git a/util/app/path/path.go b/util/app/path/path.go index 55d10f1d74..4ea95d7416 100644 --- a/util/app/path/path.go +++ b/util/app/path/path.go @@ -79,8 +79,8 @@ func CheckOutOfBoundsSymlinks(basePath string) error { currentDir := filepath.Dir(path) // walk each part of the symlink target to make sure it never leaves basePath - parts := strings.Split(linkTarget, string(os.PathSeparator)) - for _, part := range parts { + parts := strings.SplitSeq(linkTarget, string(os.PathSeparator)) + for part := range parts { newDir := filepath.Join(currentDir, part) rel, err := filepath.Rel(absBasePath, newDir) if err != nil { @@ -116,7 +116,12 @@ func GetSourceRefreshPaths(app *v1alpha1.Application, source v1alpha1.Applicatio var paths []string if hasAnnotation && annotationPaths != "" { - for _, item := range strings.Split(annotationPaths, ";") { + for item := range strings.SplitSeq(annotationPaths, ";") { + // Trim whitespace because annotation values may contain spaces around + // separators (e.g. ".; /path"). Without trimming, paths like " /path" + // are not treated as absolute and empty/space-only entries may result + // in duplicate or incorrect refresh paths. + item = strings.TrimSpace(item) // skip empty paths if item == "" { continue diff --git a/util/app/path/path_test.go b/util/app/path/path_test.go index 07c043a586..06ce653ff8 100644 --- a/util/app/path/path_test.go +++ b/util/app/path/path_test.go @@ -192,6 +192,43 @@ func Test_GetAppRefreshPaths(t *testing.T) { source: v1alpha1.ApplicationSource{Path: "dry/path"}, expectedPaths: []string{"dry/path/deploy"}, }, + { + name: "annotation paths with spaces after semicolon", + app: getApp(ptr.To(".; dev/deploy; other/path"), ptr.To("source/path")), + source: v1alpha1.ApplicationSource{Path: "source/path"}, + expectedPaths: []string{ + "source/path", + "source/path/dev/deploy", + "source/path/other/path", + }, + }, + { + name: "annotation paths with spaces before semicolon", + app: getApp(ptr.To(". ;dev/deploy ;other/path"), ptr.To("source/path")), + source: v1alpha1.ApplicationSource{Path: "source/path"}, + expectedPaths: []string{ + "source/path", + "source/path/dev/deploy", + "source/path/other/path", + }, + }, + { + name: "annotation paths with spaces around absolute path", + app: getApp(ptr.To(" /fullpath/deploy ; other/path "), ptr.To("source/path")), + source: v1alpha1.ApplicationSource{Path: "source/path"}, + expectedPaths: []string{ + "fullpath/deploy", + "source/path/other/path", + }, + }, + { + name: "annotation paths only spaces and separators", + app: getApp(ptr.To(" ; ; . ; "), ptr.To("source/path")), + source: v1alpha1.ApplicationSource{Path: "source/path"}, + expectedPaths: []string{ + "source/path", + }, + }, } for _, tt := range tests { diff --git a/util/argo/argo.go b/util/argo/argo.go index 1b8c766624..a218dadd72 100644 --- a/util/argo/argo.go +++ b/util/argo/argo.go @@ -7,13 +7,12 @@ import ( "fmt" "regexp" "slices" - "sort" "strings" "time" - "github.com/argoproj/gitops-engine/pkg/cache" - "github.com/argoproj/gitops-engine/pkg/sync/common" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/r3labs/diff/v3" log "github.com/sirupsen/logrus" "google.golang.org/grpc/codes" @@ -105,7 +104,7 @@ func FilterByProjects(apps []argoappv1.Application, projects []string) []argoapp projectsMap[projects[i]] = true } items := []argoappv1.Application{} - for i := 0; i < len(apps); i++ { + for i := range apps { a := apps[i] if _, ok := projectsMap[a.Spec.GetProject()]; ok { items = append(items, a) @@ -124,7 +123,7 @@ func FilterByProjectsP(apps []*argoappv1.Application, projects []string) []*argo projectsMap[projects[i]] = true } items := []*argoappv1.Application{} - for i := 0; i < len(apps); i++ { + for i := range apps { a := apps[i] if _, ok := projectsMap[a.Spec.GetProject()]; ok { items = append(items, a) @@ -143,7 +142,7 @@ func FilterAppSetsByProjects(appsets []argoappv1.ApplicationSet, projects []stri projectsMap[projects[i]] = true } items := []argoappv1.ApplicationSet{} - for i := 0; i < len(appsets); i++ { + for i := range appsets { a := appsets[i] if _, ok := projectsMap[a.Spec.Template.Spec.GetProject()]; ok { items = append(items, a) @@ -158,7 +157,7 @@ func FilterByRepo(apps []argoappv1.Application, repo string) []argoappv1.Applica return apps } items := []argoappv1.Application{} - for i := 0; i < len(apps); i++ { + for i := range apps { if apps[i].Spec.GetSource().RepoURL == repo { items = append(items, apps[i]) } @@ -172,7 +171,7 @@ func FilterByRepoP(apps []*argoappv1.Application, repo string) []*argoappv1.Appl return apps } items := []*argoappv1.Application{} - for i := 0; i < len(apps); i++ { + for i := range apps { if apps[i].Spec.GetSource().RepoURL == repo { items = append(items, apps[i]) } @@ -186,7 +185,7 @@ func FilterByPath(apps []argoappv1.Application, path string) []argoappv1.Applica return apps } items := []argoappv1.Application{} - for i := 0; i < len(apps); i++ { + for i := range apps { if apps[i].Spec.GetSource().Path == path { items = append(items, apps[i]) } @@ -200,7 +199,7 @@ func FilterByCluster(apps []argoappv1.Application, cluster string) []argoappv1.A return apps } items := []argoappv1.Application{} - for i := 0; i < len(apps); i++ { + for i := range apps { if apps[i].Spec.Destination.Server == cluster || apps[i].Spec.Destination.Name == cluster { items = append(items, apps[i]) } @@ -214,7 +213,7 @@ func FilterByName(apps []argoappv1.Application, name string) ([]argoappv1.Applic return apps, nil } items := []argoappv1.Application{} - for i := 0; i < len(apps); i++ { + for i := range apps { if apps[i].Name == name { items = append(items, apps[i]) return items, nil @@ -230,7 +229,7 @@ func FilterByNameP(apps []*argoappv1.Application, name string) []*argoappv1.Appl return apps } items := []*argoappv1.Application{} - for i := 0; i < len(apps); i++ { + for i := range apps { if apps[i].Name == name { items = append(items, apps[i]) return items @@ -257,7 +256,7 @@ func RefreshApp(appIf v1alpha1.ApplicationInterface, name string, refreshType ar if err != nil { return nil, fmt.Errorf("error marshaling metadata: %w", err) } - for attempt := 0; attempt < 5; attempt++ { + for range 5 { app, err := appIf.Patch(context.Background(), name, types.MergePatchType, patch, metav1.PatchOptions{}) if err == nil { log.Infof("Requested app '%s' refresh", name) @@ -510,6 +509,30 @@ func validateRepo(ctx context.Context, return conditions, nil } +// GetSyncedRefSources creates a map of ref keys (the same as GetRefSources) based on syncRevisions from Application status +func GetSyncedRefSources(refSources argoappv1.RefTargetRevisionMapping, sources argoappv1.ApplicationSources, syncRevisions []string) argoappv1.RefTargetRevisionMapping { + syncedRefSources := make(argoappv1.RefTargetRevisionMapping) + for i, source := range sources { + if source.Ref == "" { + continue + } + + refKey := "$" + source.Ref + + revision := "" + if i < len(syncRevisions) { + revision = syncRevisions[i] + } + + syncedRefSources[refKey] = &argoappv1.RefTarget{ + Repo: refSources[refKey].Repo, + TargetRevision: revision, + Chart: refSources[refKey].Chart, + } + } + return syncedRefSources +} + // GetRefSources creates a map of ref keys (from the sources' 'ref' fields) to information about the referenced source. // This function also validates the references use allowed characters and does not define the same ref key more than // once (which would lead to ambiguous references). @@ -697,9 +720,7 @@ func APIResourcesToStrings(resources []kube.APIResourceInfo, includeKinds bool) for k := range resMap { res = append(res, k) } - sort.Slice(res, func(i, j int) bool { - return res[i] < res[j] - }) + slices.Sort(res) return res } diff --git a/util/argo/argo_test.go b/util/argo/argo_test.go index 6c8cff5b0c..3e78c0301c 100644 --- a/util/argo/argo_test.go +++ b/util/argo/argo_test.go @@ -7,8 +7,8 @@ import ( "path/filepath" "testing" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/kube/kubetest" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/kubetest" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/mock" "github.com/stretchr/testify/require" @@ -21,7 +21,7 @@ import ( "k8s.io/client-go/kubernetes/fake" "k8s.io/client-go/tools/cache" - "github.com/argoproj/gitops-engine/pkg/sync/common" + "github.com/argoproj/argo-cd/gitops-engine/pkg/sync/common" argoappv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" appclientset "github.com/argoproj/argo-cd/v3/pkg/client/clientset/versioned/fake" @@ -2002,3 +2002,114 @@ func TestValidateManagedByURL(t *testing.T) { }) } } + +func Test_GetSyncedRefSources(t *testing.T) { + tests := []struct { + name string + refSources argoappv1.RefTargetRevisionMapping + sources argoappv1.ApplicationSources + syncedRevisions []string + result argoappv1.RefTargetRevisionMapping + }{ + { + name: "multi ref sources", + refSources: argoappv1.RefTargetRevisionMapping{ + "$values": &argoappv1.RefTarget{ + Repo: argoappv1.Repository{Repo: "https://github.com/argocd"}, + TargetRevision: "main-1", + Chart: "chart", + }, + "$values_1": &argoappv1.RefTarget{ + Repo: argoappv1.Repository{Repo: "https://github.com/argocd-1"}, + TargetRevision: "main-2", + Chart: "chart", + }, + }, + sources: argoappv1.ApplicationSources{ + {RepoURL: "https://helm.registry", TargetRevision: "0.0.1", Chart: "my-chart", Helm: &argoappv1.ApplicationSourceHelm{ValueFiles: []string{"$values/path"}}}, + {RepoURL: "https://github.com/argocd", TargetRevision: "main-1", Ref: "values"}, + {RepoURL: "https://github.com/argocd-1", TargetRevision: "main-2", Ref: "values_1"}, + }, + syncedRevisions: []string{"0.0.1", "resolved-main-1", "resolved-main-2"}, + result: argoappv1.RefTargetRevisionMapping{ + "$values": &argoappv1.RefTarget{ + Repo: argoappv1.Repository{Repo: "https://github.com/argocd"}, + TargetRevision: "resolved-main-1", + Chart: "chart", + }, + "$values_1": &argoappv1.RefTarget{ + Repo: argoappv1.Repository{Repo: "https://github.com/argocd-1"}, + TargetRevision: "resolved-main-2", + Chart: "chart", + }, + }, + }, + { + name: "ref source", + refSources: argoappv1.RefTargetRevisionMapping{ + "$values": &argoappv1.RefTarget{ + Repo: argoappv1.Repository{Repo: "https://github.com/argocd"}, + TargetRevision: "main-1", + Chart: "chart", + }, + }, + sources: argoappv1.ApplicationSources{ + {RepoURL: "https://helm.registry", TargetRevision: "0.0.1", Chart: "my-chart", Helm: &argoappv1.ApplicationSourceHelm{ValueFiles: []string{"$values/path"}}}, + {RepoURL: "https://github.com/argocd", TargetRevision: "main-1", Ref: "values"}, + }, + syncedRevisions: []string{"0.0.1", "resolved-main-1"}, + result: argoappv1.RefTargetRevisionMapping{ + "$values": &argoappv1.RefTarget{ + Repo: argoappv1.Repository{Repo: "https://github.com/argocd"}, + TargetRevision: "resolved-main-1", + Chart: "chart", + }, + }, + }, + { + name: "empty ref source", + refSources: argoappv1.RefTargetRevisionMapping{}, + sources: argoappv1.ApplicationSources{ + {RepoURL: "https://helm.registry", TargetRevision: "0.0.1", Chart: "my-chart"}, + }, + syncedRevisions: []string{"0.0.1"}, + result: argoappv1.RefTargetRevisionMapping{}, + }, + { + name: "empty sources", + refSources: argoappv1.RefTargetRevisionMapping{}, + sources: argoappv1.ApplicationSources{}, + syncedRevisions: []string{}, + result: argoappv1.RefTargetRevisionMapping{}, + }, + { + name: "no synced revisions", + refSources: argoappv1.RefTargetRevisionMapping{ + "$values": &argoappv1.RefTarget{ + Repo: argoappv1.Repository{Repo: "https://github.com/argocd"}, + TargetRevision: "main-1", + Chart: "chart", + }, + }, + sources: argoappv1.ApplicationSources{ + {RepoURL: "https://helm.registry", TargetRevision: "0.0.1", Chart: "my-chart", Helm: &argoappv1.ApplicationSourceHelm{ValueFiles: []string{"$values/path"}}}, + {RepoURL: "https://github.com/argocd", TargetRevision: "main-1", Ref: "values"}, + }, + syncedRevisions: []string{}, + result: argoappv1.RefTargetRevisionMapping{ + "$values": &argoappv1.RefTarget{ + Repo: argoappv1.Repository{Repo: "https://github.com/argocd"}, + TargetRevision: "", + Chart: "chart", + }, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + syncedRefSources := GetSyncedRefSources(tt.refSources, tt.sources, tt.syncedRevisions) + assert.Equal(t, tt.result, syncedRefSources) + }) + } +} diff --git a/util/argo/diff/diff.go b/util/argo/diff/diff.go index 6ee4f6c4af..434f848086 100644 --- a/util/argo/diff/diff.go +++ b/util/argo/diff/diff.go @@ -15,9 +15,9 @@ import ( "github.com/argoproj/argo-cd/v3/util/argo/normalizers" appstatecache "github.com/argoproj/argo-cd/v3/util/cache/appstate" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/kube/scheme" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/scheme" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) @@ -353,7 +353,7 @@ func diffArrayCached(configArray []*unstructured.Unstructured, liveArray []*unst Diffs: make([]diff.DiffResult, numItems), } - for i := 0; i < numItems; i++ { + for i := range numItems { config := configArray[i] live := liveArray[i] resourceVersion := "" diff --git a/util/argo/diff/diff_test.go b/util/argo/diff/diff_test.go index 9be6dcc8c5..7942eb1af0 100644 --- a/util/argo/diff/diff_test.go +++ b/util/argo/diff/diff_test.go @@ -125,7 +125,6 @@ func TestStateDiff(t *testing.T) { }, } for _, tc := range testcases { - tc := tc t.Run(tc.name, func(t *testing.T) { // given dc := diffConfig(t, tc.params()) diff --git a/util/argo/diff/ignore.go b/util/argo/diff/ignore.go index 7b94a7c3e3..d99f6c7d34 100644 --- a/util/argo/diff/ignore.go +++ b/util/argo/diff/ignore.go @@ -2,6 +2,7 @@ package diff import ( "fmt" + "slices" "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" "github.com/argoproj/argo-cd/v3/util/glob" @@ -89,27 +90,18 @@ func resourceToIgnoreDifference(resource v1alpha1.ResourceIgnoreDifferences) *Ig // skipping repeated configs. func mergeIgnoreDifferences(from *IgnoreDifference, target *IgnoreDifference) { for _, jqPath := range from.JQPathExpressions { - if !contains(target.JQPathExpressions, jqPath) { + if !slices.Contains(target.JQPathExpressions, jqPath) { target.JQPathExpressions = append(target.JQPathExpressions, jqPath) } } for _, jsonPointer := range from.JSONPointers { - if !contains(target.JSONPointers, jsonPointer) { + if !slices.Contains(target.JSONPointers, jsonPointer) { target.JSONPointers = append(target.JSONPointers, jsonPointer) } } for _, manager := range from.ManagedFieldsManagers { - if !contains(target.ManagedFieldsManagers, manager) { + if !slices.Contains(target.ManagedFieldsManagers, manager) { target.ManagedFieldsManagers = append(target.ManagedFieldsManagers, manager) } } } - -func contains(slice []string, e string) bool { - for _, s := range slice { - if s == e { - return true - } - } - return false -} diff --git a/util/argo/diff/normalize.go b/util/argo/diff/normalize.go index 710e5dda4c..e6366bdc30 100644 --- a/util/argo/diff/normalize.go +++ b/util/argo/diff/normalize.go @@ -4,7 +4,7 @@ import ( "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" "github.com/argoproj/argo-cd/v3/util/argo/normalizers" - "github.com/argoproj/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) diff --git a/util/argo/managedfields/managed_fields.go b/util/argo/managedfields/managed_fields.go index bafd4c8060..abd1678306 100644 --- a/util/argo/managedfields/managed_fields.go +++ b/util/argo/managedfields/managed_fields.go @@ -3,6 +3,7 @@ package managedfields import ( "bytes" "fmt" + "slices" log "github.com/sirupsen/logrus" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -39,7 +40,7 @@ func Normalize(live, config *unstructured.Unstructured, trustedManagers []string } for _, mf := range live.GetManagedFields() { - if trustedManager(mf.Manager, trustedManagers) { + if slices.Contains(trustedManagers, mf.Manager) { err := normalize(mf, results) if err != nil { return nil, nil, fmt.Errorf("error normalizing manager %s: %w", mf.Manager, err) @@ -114,14 +115,3 @@ func newTypedResults(live, config *unstructured.Unstructured, pt *typed.Parseabl comparison: comparison, }, nil } - -// trustedManager will return true if trustedManagers contains curManager. -// Returns false otherwise. -func trustedManager(curManager string, trustedManagers []string) bool { - for _, m := range trustedManagers { - if m == curManager { - return true - } - } - return false -} diff --git a/util/argo/managedfields/managed_fields_test.go b/util/argo/managedfields/managed_fields_test.go index 9dc244a1fb..354cb1cbe6 100644 --- a/util/argo/managedfields/managed_fields_test.go +++ b/util/argo/managedfields/managed_fields_test.go @@ -10,7 +10,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "sigs.k8s.io/yaml" - "github.com/argoproj/gitops-engine/pkg/utils/kube/scheme" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube/scheme" "github.com/argoproj/argo-cd/v3/util/argo/managedfields" "github.com/argoproj/argo-cd/v3/util/argo/testdata" diff --git a/util/argo/normalizers/diff_normalizer.go b/util/argo/normalizers/diff_normalizer.go index 5fccbe8e03..b87715977b 100644 --- a/util/argo/normalizers/diff_normalizer.go +++ b/util/argo/normalizers/diff_normalizer.go @@ -8,7 +8,7 @@ import ( "strings" "time" - "github.com/argoproj/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" jsonpatch "github.com/evanphx/json-patch" "github.com/itchyny/gojq" log "github.com/sirupsen/logrus" diff --git a/util/argo/normalizers/knowntypes_normalizer_test.go b/util/argo/normalizers/knowntypes_normalizer_test.go index d91cdef50a..c464e1847d 100644 --- a/util/argo/normalizers/knowntypes_normalizer_test.go +++ b/util/argo/normalizers/knowntypes_normalizer_test.go @@ -275,7 +275,7 @@ func TestOverrideKeyWithoutGroup(t *testing.T) { func TestKnownTypes(t *testing.T) { typesData, err := os.ReadFile("./diffing_known_types.txt") require.NoError(t, err) - for _, typeName := range strings.Split(string(typesData), "\n") { + for typeName := range strings.SplitSeq(string(typesData), "\n") { if typeName = strings.TrimSpace(typeName); typeName == "" { continue } diff --git a/util/argo/resource_tracking.go b/util/argo/resource_tracking.go index 1d81918780..fae07464d0 100644 --- a/util/argo/resource_tracking.go +++ b/util/argo/resource_tracking.go @@ -6,7 +6,7 @@ import ( "regexp" "strings" - kubeutil "github.com/argoproj/gitops-engine/pkg/utils/kube" + kubeutil "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "github.com/argoproj/argo-cd/v3/common" diff --git a/util/cert/cert_test.go b/util/cert/cert_test.go index a3c09e183c..c1841de411 100644 --- a/util/cert/cert_test.go +++ b/util/cert/cert_test.go @@ -3,6 +3,7 @@ package cert import ( "os" "path" + "strings" "testing" "github.com/stretchr/testify/assert" @@ -547,24 +548,24 @@ func TestGetCertBundlePathForRepository(t *testing.T) { } func TestTLSCertificateLimit(t *testing.T) { - var data string + var data strings.Builder // Append one more than the max allowed - for i := 0; i < CertificateMaxEntriesPerStream+1; i++ { - data += TestTLSValidSingleCert + for range CertificateMaxEntriesPerStream + 1 { + data.WriteString(TestTLSValidSingleCert) } - _, err := ParseTLSCertificatesFromData(data) + _, err := ParseTLSCertificatesFromData(data.String()) require.Error(t, err) assert.Contains(t, err.Error(), "limit exceeded") } func TestSSHKnownHostsLimit(t *testing.T) { - var data string + var data strings.Builder entry := "github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=\n" // Append one more than the max allowed - for i := 0; i < CertificateMaxEntriesPerStream+1; i++ { - data += entry + for range CertificateMaxEntriesPerStream + 1 { + data.WriteString(entry) } - _, err := ParseSSHKnownHostsFromData(data) + _, err := ParseSSHKnownHostsFromData(data.String()) require.Error(t, err) assert.Contains(t, err.Error(), "limit exceeded") } diff --git a/util/cli/cli.go b/util/cli/cli.go index 0d44bf3233..f10b10f767 100644 --- a/util/cli/cli.go +++ b/util/cli/cli.go @@ -15,7 +15,7 @@ import ( "strconv" "strings" - "github.com/argoproj/gitops-engine/pkg/utils/text" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/text" "github.com/google/shlex" log "github.com/sirupsen/logrus" "github.com/spf13/cobra" @@ -247,7 +247,7 @@ const ( func setComments(input []byte, comments string) []byte { input = stripComments(input) var commentLines []string - for _, line := range strings.Split(comments, "\n") { + for line := range strings.SplitSeq(comments, "\n") { if line != "" { commentLines = append(commentLines, "# "+line) } diff --git a/util/db/certificate.go b/util/db/certificate.go index 2b63768168..24889efa55 100644 --- a/util/db/certificate.go +++ b/util/db/certificate.go @@ -218,7 +218,7 @@ func (db *db) CreateRepoCertificate(ctx context.Context, certificates *appsv1.Re } // Make sure that we received a valid public host key by parsing it - _, hostnames, rawKeyData, _, _, err := ssh.ParseKnownHosts([]byte(fmt.Sprintf("%s %s %s", certificate.ServerName, certificate.CertSubType, certificate.CertData))) + _, hostnames, rawKeyData, _, _, err := ssh.ParseKnownHosts(fmt.Appendf(nil, "%s %s %s", certificate.ServerName, certificate.CertSubType, certificate.CertData)) if err != nil { return nil, err } diff --git a/util/db/cluster.go b/util/db/cluster.go index 831dadf646..f5742776f1 100644 --- a/util/db/cluster.go +++ b/util/db/cluster.go @@ -405,7 +405,7 @@ func SecretToCluster(s *corev1.Secret) (*appv1.Cluster, error) { } var namespaces []string - for _, ns := range strings.Split(string(s.Data["namespaces"]), ",") { + for ns := range strings.SplitSeq(string(s.Data["namespaces"]), ",") { if ns = strings.TrimSpace(ns); ns != "" { namespaces = append(namespaces, ns) } diff --git a/util/db/cluster_norace_test.go b/util/db/cluster_norace_test.go index b55b03db41..5629e76dcd 100644 --- a/util/db/cluster_norace_test.go +++ b/util/db/cluster_norace_test.go @@ -1,5 +1,4 @@ //go:build !race -// +build !race package db diff --git a/util/db/cluster_test.go b/util/db/cluster_test.go index e78ebaa299..2da2f2387b 100644 --- a/util/db/cluster_test.go +++ b/util/db/cluster_test.go @@ -717,7 +717,7 @@ func TestClusterRaceConditionClusterSecrets(t *testing.T) { }() // yes, we will take 15 seconds to run this test // but it reliably triggered the race condition - for i := 0; i < 30; i++ { + for range 30 { // create a copy so we don't act on the same argo cluster clusterCopy := cluster.DeepCopy() _, _ = db.UpdateCluster(ctx, clusterCopy) diff --git a/util/db/db_test.go b/util/db/db_test.go index 50d2e25369..145aecb91e 100644 --- a/util/db/db_test.go +++ b/util/db/db_test.go @@ -566,7 +566,7 @@ func TestGetApplicationControllerReplicas(t *testing.T) { expectedReplicas = int32(3) clientset = getClientset(&appsv1.Deployment{ ObjectMeta: metav1.ObjectMeta{ - Name: common.ApplicationController, + Name: common.CommandApplicationController, Namespace: testNamespace, }, Spec: appsv1.DeploymentSpec{ diff --git a/util/db/repository_secrets_test.go b/util/db/repository_secrets_test.go index 8bd1a44a59..19f2339dc1 100644 --- a/util/db/repository_secrets_test.go +++ b/util/db/repository_secrets_test.go @@ -1028,7 +1028,7 @@ func TestRaceConditionInRepoCredsOperations(t *testing.T) { errChan := make(chan error, concurrentOps*2) // Channel to collect errors // Launch goroutines that perform concurrent operations - for i := 0; i < concurrentOps; i++ { + for range concurrentOps { wg.Add(2) // One goroutine converts from RepoCreds to Secret @@ -1111,7 +1111,7 @@ func TestRaceConditionInRepositoryOperations(t *testing.T) { errChan := make(chan error, concurrentOps*2) // Channel to collect errors // Launch goroutines that perform concurrent operations - for i := 0; i < concurrentOps; i++ { + for range concurrentOps { wg.Add(2) // One goroutine converts from Repository to Secret diff --git a/util/env/env.go b/util/env/env.go index 47da9175d5..e88c9303d8 100644 --- a/util/env/env.go +++ b/util/env/env.go @@ -202,7 +202,7 @@ func ParseStringToStringFromEnv(envVar string, defaultValue map[string]string, s } parsed := make(map[string]string) - for _, pair := range strings.Split(str, separator) { + for pair := range strings.SplitSeq(str, separator) { keyvalue := strings.Split(pair, "=") if len(keyvalue) != 2 { log.Warnf("Invalid key-value pair when parsing environment '%s' as a string map", str) diff --git a/util/exec/exec.go b/util/exec/exec.go index dcbe4358d3..d6c0dc3525 100644 --- a/util/exec/exec.go +++ b/util/exec/exec.go @@ -13,7 +13,7 @@ import ( "time" "unicode" - "github.com/argoproj/gitops-engine/pkg/utils/tracing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/tracing" "github.com/sirupsen/logrus" "github.com/argoproj/argo-cd/v3/util/log" diff --git a/util/git/client_test.go b/util/git/client_test.go index 0da29771af..f176523740 100644 --- a/util/git/client_test.go +++ b/util/git/client_test.go @@ -1091,7 +1091,7 @@ func Test_LsFiles_RaceCondition(t *testing.T) { var wg sync.WaitGroup callLsFiles := func(client Client, expectedFile string) { defer wg.Done() - for i := 0; i < 100; i++ { + for range 100 { files, err := client.LsFiles("*", true) require.NoError(t, err) require.Contains(t, files, expectedFile) @@ -1270,8 +1270,8 @@ func Test_GitNoDetachedMaintenance(t *testing.T) { output, err := native.runCmdOutput(cmd, runOpts{CaptureStderr: true}) require.NoError(t, err) - lines := strings.Split(output, "\n") - for _, line := range lines { + lines := strings.SplitSeq(output, "\n") + for line := range lines { if strings.Contains(line, "git maintenance run") { assert.NotContains(t, output, "--detach", "Unexpected --detach when running git maintenance") return diff --git a/util/git/creds.go b/util/git/creds.go index 4e64c5e476..cb73a30af4 100644 --- a/util/git/creds.go +++ b/util/git/creds.go @@ -26,8 +26,8 @@ import ( gocache "github.com/patrickmn/go-cache" - argoio "github.com/argoproj/gitops-engine/pkg/utils/io" - "github.com/argoproj/gitops-engine/pkg/utils/text" + argoio "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/io" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/text" "github.com/bradleyfalzon/ghinstallation/v2" log "github.com/sirupsen/logrus" @@ -388,11 +388,14 @@ type GitHubAppCreds struct { proxy string noProxy string store CredsStore + // repoURL is the full repository URL, used for extracting org for auto-discovery + repoURL string } // NewGitHubAppCreds provide github app credentials -func NewGitHubAppCreds(appID int64, appInstallId int64, privateKey string, baseURL string, clientCertData string, clientCertKey string, insecure bool, proxy string, noProxy string, store CredsStore) GenericHTTPSCreds { - return GitHubAppCreds{appID: appID, appInstallId: appInstallId, privateKey: privateKey, baseURL: baseURL, clientCertData: clientCertData, clientCertKey: clientCertKey, insecure: insecure, proxy: proxy, noProxy: noProxy, store: store} +// repoURL is required for automatic installation ID discovery when appInstallId is 0 +func NewGitHubAppCreds(appID int64, appInstallId int64, privateKey string, baseURL string, clientCertData string, clientCertKey string, insecure bool, proxy string, noProxy string, store CredsStore, repoURL string) GenericHTTPSCreds { + return GitHubAppCreds{appID: appID, appInstallId: appInstallId, privateKey: privateKey, baseURL: baseURL, clientCertData: clientCertData, clientCertKey: clientCertKey, insecure: insecure, proxy: proxy, noProxy: noProxy, store: store, repoURL: repoURL} } func (g GitHubAppCreds) Environ() (io.Closer, []string, error) { @@ -531,9 +534,32 @@ func (g GitHubAppCreds) getAppTransport() (*ghinstallation.AppsTransport, error) // getInstallationTransport creates a new GitHub transport for the app installation func (g GitHubAppCreds) getInstallationTransport() (*ghinstallation.Transport, error) { + installationID := g.appInstallId + + // Auto-discover installation ID if not provided + if installationID == 0 { + org, err := ExtractOrgFromRepoURL(g.repoURL) + if err != nil { + return nil, fmt.Errorf("failed to extract organization from repository URL %s for GitHub App installation discovery: %w", g.repoURL, err) + } + if org == "" { + return nil, fmt.Errorf("could not extract organization from repository URL %s: the URL does not contain an organization/owner", g.repoURL) + } + + ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second) + defer cancel() + + discoveredID, err := DiscoverGitHubAppInstallationID(ctx, g.appID, g.privateKey, g.baseURL, org) + if err != nil { + return nil, fmt.Errorf("failed to discover GitHub App installation ID for organization %s: ensure the GitHub App (ID: %d) is installed for this organization: %w", org, g.appID, err) + } + log.Infof("Auto-discovered GitHub App installation ID %d for org %s", discoveredID, org) + installationID = discoveredID + } + // Compute hash of creds for lookup in cache h := sha256.New() - _, err := fmt.Fprintf(h, "%s %d %d %s", g.privateKey, g.appID, g.appInstallId, g.baseURL) + _, err := fmt.Fprintf(h, "%s %d %d %s", g.privateKey, g.appID, installationID, g.baseURL) if err != nil { return nil, fmt.Errorf("failed to get SHA256 hash for GitHub app credentials: %w", err) } @@ -557,7 +583,7 @@ func (g GitHubAppCreds) getInstallationTransport() (*ghinstallation.Transport, e c := GetRepoHTTPClient(baseURL, g.insecure, g, g.proxy, g.noProxy) itr, err := ghinstallation.New(c.Transport, g.appID, - g.appInstallId, + installationID, []byte(g.privateKey), ) if err != nil { @@ -731,8 +757,8 @@ func ExtractOrgFromRepoURL(repoURL string) (string, error) { // We distinguish this from the valid ssh://git@host:22/org/repo (with port number). if strings.HasPrefix(repoURL, "ssh://git@") { remainder := strings.TrimPrefix(repoURL, "ssh://") - if colonIdx := strings.Index(remainder, ":"); colonIdx != -1 { - afterColon := remainder[colonIdx+1:] + if _, after, ok := strings.Cut(remainder, ":"); ok { + afterColon := after slashIdx := strings.Index(afterColon, "/") // Check if what follows the colon is a port number @@ -786,7 +812,7 @@ type GoogleCloudCreds struct { } func NewGoogleCloudCreds(jsonData string, store CredsStore) GoogleCloudCreds { - creds, err := google.CredentialsFromJSON(context.Background(), []byte(jsonData), "https://www.googleapis.com/auth/cloud-platform") + creds, err := google.CredentialsFromJSONWithType(context.Background(), []byte(jsonData), google.ServiceAccount, "https://www.googleapis.com/auth/cloud-platform") if err != nil { // Invalid JSON log.Errorf("Failed reading credentials from JSON: %+v", err) diff --git a/util/git/creds_test.go b/util/git/creds_test.go index f8b0b1cd30..10715b801e 100644 --- a/util/git/creds_test.go +++ b/util/git/creds_test.go @@ -10,6 +10,7 @@ import ( "os" "path" "regexp" + "slices" "strings" "testing" "time" @@ -21,7 +22,7 @@ import ( "golang.org/x/oauth2" "golang.org/x/oauth2/google" - argoio "github.com/argoproj/gitops-engine/pkg/utils/io" + argoio "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/io" "github.com/argoproj/argo-cd/v3/util/cert" utilio "github.com/argoproj/argo-cd/v3/util/io" @@ -72,13 +73,7 @@ func TestHTTPSCreds_Environ_insecure_true(t *testing.T) { utilio.Close(closer) }) require.NoError(t, err) - found := false - for _, envVar := range env { - if envVar == "GIT_SSL_NO_VERIFY=true" { - found = true - break - } - } + found := slices.Contains(env, "GIT_SSL_NO_VERIFY=true") assert.True(t, found) } @@ -89,13 +84,7 @@ func TestHTTPSCreds_Environ_insecure_false(t *testing.T) { utilio.Close(closer) }) require.NoError(t, err) - found := false - for _, envVar := range env { - if envVar == "GIT_SSL_NO_VERIFY=true" { - found = true - break - } - } + found := slices.Contains(env, "GIT_SSL_NO_VERIFY=true") assert.False(t, found) } diff --git a/util/grpc/errors_test.go b/util/grpc/errors_test.go index 5e6bfd7b69..6c29032237 100644 --- a/util/grpc/errors_test.go +++ b/util/grpc/errors_test.go @@ -141,7 +141,6 @@ func Test_kubeErrToGRPC(t *testing.T) { }, } for _, c := range cases { - c := c t.Run(c.name, func(t *testing.T) { // when err := kubeErrToGRPC(c.givenErrFn()) diff --git a/util/grpc/grpc_test.go b/util/grpc/grpc_test.go index 90835e6ecd..148812f312 100644 --- a/util/grpc/grpc_test.go +++ b/util/grpc/grpc_test.go @@ -85,7 +85,6 @@ func TestBlockingDial_ProxyEnvironmentHandling(t *testing.T) { } for _, tt := range tests { - tt := tt t.Run(tt.name, func(t *testing.T) { clearProxyEnv(t) applyProxyEnv(t, tt.proxyEnv) diff --git a/util/guard/guard_test.go b/util/guard/guard_test.go index 19f5365775..0d2f9caa88 100644 --- a/util/guard/guard_test.go +++ b/util/guard/guard_test.go @@ -79,7 +79,7 @@ func TestRun_ConcurrentPanicsLogged(t *testing.T) { const n = 10 var wg sync.WaitGroup wg.Add(n) - for i := 0; i < n; i++ { + for i := range n { go func(i int) { defer wg.Done() RecoverAndLog(func() { panic(fmt.Sprintf("boom-%d", i)) }, r, "msg") diff --git a/util/helm/cmd.go b/util/helm/cmd.go index 2ad981065b..b074f409e2 100644 --- a/util/helm/cmd.go +++ b/util/helm/cmd.go @@ -70,11 +70,11 @@ func (c Cmd) run(ctx context.Context, args ...string) (string, string, error) { } cmd.Env = proxy.UpsertEnv(cmd, c.proxy, c.noProxy) + fullCommand := executil.GetCommandArgsToLog(cmd) out, err := c.runWithRedactor(cmd, redactor) - fullCommand := executil.GetCommandArgsToLog(cmd) if err != nil { - return out, fullCommand, fmt.Errorf("failed to get command args to log: %w", err) + return out, fullCommand, fmt.Errorf("failed running helm: %w", err) } return out, fullCommand, nil } diff --git a/util/helm/cmd_test.go b/util/helm/cmd_test.go index 6206f9d95e..149ec59cf3 100644 --- a/util/helm/cmd_test.go +++ b/util/helm/cmd_test.go @@ -90,7 +90,7 @@ func TestRegistryLogin(t *testing.T) { repo: "my.registry.com/repo", creds: &HelmCreds{}, execErr: errors.New("exit status 1"), - expectedErr: errors.New("failed to login to registry: failed to get command args to log: exit status 1"), + expectedErr: errors.New("failed to login to registry: failed running helm: exit status 1"), }, { name: "invalid repo", diff --git a/util/helm/creds.go b/util/helm/creds.go index a203bb6ad1..d320e00ef1 100644 --- a/util/helm/creds.go +++ b/util/helm/creds.go @@ -277,7 +277,7 @@ func (creds AzureWorkloadIdentityCreds) challengeAzureContainerRegistry(ctx cont tokenParams := make(map[string]string) - for _, token := range strings.Split(tokens[1], ",") { + for token := range strings.SplitSeq(tokens[1], ",") { kvPair := strings.Split(token, "=") tokenParams[kvPair[0]] = strings.Trim(kvPair[1], "\"") } diff --git a/util/helm/helm_test.go b/util/helm/helm_test.go index 786335216c..149bcf8cfb 100644 --- a/util/helm/helm_test.go +++ b/util/helm/helm_test.go @@ -8,7 +8,7 @@ import ( "github.com/argoproj/argo-cd/v3/util/io/path" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "github.com/stretchr/testify/assert" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" diff --git a/util/http/http.go b/util/http/http.go index 3adcbe52a4..bcd8e0e83a 100644 --- a/util/http/http.go +++ b/util/http/http.go @@ -58,10 +58,7 @@ func splitCookie(key, value, attributes string) []string { var end int for i, j := 0, 0; i < valueLength; i, j = i+maxValueLength, j+1 { - end = i + maxValueLength - if end > valueLength { - end = valueLength - } + end = min(i+maxValueLength, valueLength) var cookie string switch { diff --git a/util/io/files/util_test.go b/util/io/files/util_test.go index d44d2bd1cd..080a1d80b3 100644 --- a/util/io/files/util_test.go +++ b/util/io/files/util_test.go @@ -77,7 +77,6 @@ func TestRelativePath(t *testing.T) { }, } for _, c := range cases { - c := c t.Run(c.name, func(t *testing.T) { // given t.Parallel() @@ -134,7 +133,6 @@ func TestInbound(t *testing.T) { }, } for _, c := range cases { - c := c t.Run(c.name, func(t *testing.T) { // given t.Parallel() diff --git a/util/io/paths.go b/util/io/paths.go index 71f55eacbb..f5434fecee 100644 --- a/util/io/paths.go +++ b/util/io/paths.go @@ -1,6 +1,7 @@ package io import ( + "maps" "path/filepath" "sync" @@ -65,8 +66,6 @@ func (p *RandomizedTempPaths) GetPaths() map[string]string { p.lock.RLock() defer p.lock.RUnlock() paths := map[string]string{} - for k, v := range p.paths { - paths[k] = v - } + maps.Copy(paths, p.paths) return paths } diff --git a/util/jwt/jwt.go b/util/jwt/jwt.go index c9caa3794d..0c60e112ee 100644 --- a/util/jwt/jwt.go +++ b/util/jwt/jwt.go @@ -3,6 +3,7 @@ package jwt import ( "encoding/json" "fmt" + "slices" "strings" "time" @@ -123,10 +124,8 @@ func IsMember(claims jwtgo.Claims, groups []string, scopes []string) bool { } // O(n^2) loop for _, userGroup := range GetGroups(mapClaims, scopes) { - for _, group := range groups { - if userGroup == group { - return true - } + if slices.Contains(groups, userGroup) { + return true } } return false diff --git a/util/kube/kube.go b/util/kube/kube.go index 6e1d67f98e..c7895bb795 100644 --- a/util/kube/kube.go +++ b/util/kube/kube.go @@ -4,7 +4,7 @@ import ( "fmt" "regexp" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" diff --git a/util/kube/kubectl.go b/util/kube/kubectl.go index 5c5996bcdd..6d22bcc96a 100644 --- a/util/kube/kubectl.go +++ b/util/kube/kubectl.go @@ -9,9 +9,9 @@ import ( "github.com/argoproj/argo-cd/v3/util/log" - "github.com/argoproj/gitops-engine/pkg/diff" - "github.com/argoproj/gitops-engine/pkg/utils/kube" - "github.com/argoproj/gitops-engine/pkg/utils/tracing" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/tracing" ) var ( diff --git a/util/kube/util.go b/util/kube/util.go index a2d3afc003..7e1a094153 100644 --- a/util/kube/util.go +++ b/util/kube/util.go @@ -2,6 +2,7 @@ package kube import ( "context" + "maps" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" @@ -84,9 +85,7 @@ func (ku *kubeUtil) CreateOrUpdateSecretData(ns string, name string, data map[st if !merge || new { s.Data = data } else { - for key, val := range data { - s.Data[key] = val - } + maps.Copy(s.Data, data) } return nil }) diff --git a/util/kustomize/kustomize.go b/util/kustomize/kustomize.go index 1cbbe438d9..922c3d145a 100644 --- a/util/kustomize/kustomize.go +++ b/util/kustomize/kustomize.go @@ -9,6 +9,7 @@ import ( "os/exec" "path/filepath" "regexp" + "slices" "sort" "strings" "sync" @@ -18,7 +19,7 @@ import ( "github.com/argoproj/argo-cd/v3/util/io" - "github.com/argoproj/gitops-engine/pkg/utils/kube" + "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/kube" log "github.com/sirupsen/logrus" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -77,12 +78,7 @@ var KustomizationNames = []string{"kustomization.yaml", "kustomization.yml", "Ku // IsKustomization checks if the given file name matches any known kustomization file names. func IsKustomization(path string) bool { - for _, kustomization := range KustomizationNames { - if path == kustomization { - return true - } - } - return false + return slices.Contains(KustomizationNames, path) } // findKustomizeFile looks for any known kustomization file in the path diff --git a/util/lua/custom_actions_test.go b/util/lua/custom_actions_test.go index 186852e3b4..e0be61efc0 100644 --- a/util/lua/custom_actions_test.go +++ b/util/lua/custom_actions_test.go @@ -14,7 +14,7 @@ import ( "k8s.io/apimachinery/pkg/runtime/schema" "sigs.k8s.io/yaml" - "github.com/argoproj/gitops-engine/pkg/diff" + "github.com/argoproj/argo-cd/gitops-engine/pkg/diff" applicationpkg "github.com/argoproj/argo-cd/v3/pkg/apiclient/application" appsv1 "github.com/argoproj/argo-cd/v3/pkg/apis/application/v1alpha1" diff --git a/util/lua/health_test.go b/util/lua/health_test.go index 3f97da49c9..064e852857 100644 --- a/util/lua/health_test.go +++ b/util/lua/health_test.go @@ -6,7 +6,7 @@ import ( "strings" "testing" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" diff --git a/util/lua/lua.go b/util/lua/lua.go index ddc1aff788..92dbc83005 100644 --- a/util/lua/lua.go +++ b/util/lua/lua.go @@ -15,7 +15,7 @@ import ( "sync" "time" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" glob "github.com/bmatcuk/doublestar/v4" lua "github.com/yuin/gopher-lua" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" @@ -144,7 +144,7 @@ func (vm VM) ExecuteHealthLua(obj *unstructured.Unstructured, script string) (*h err = json.Unmarshal(jsonBytes, healthStatus) if err != nil { // Validate if the error is caused by an empty object - typeError := &json.UnmarshalTypeError{Value: "array", Type: reflect.TypeOf(healthStatus)} + typeError := &json.UnmarshalTypeError{Value: "array", Type: reflect.TypeFor[*health.HealthStatus]()} if errors.As(err, &typeError) { return &health.HealthStatus{}, nil } diff --git a/util/lua/lua_test.go b/util/lua/lua_test.go index 96f10fc137..4297286a4d 100644 --- a/util/lua/lua_test.go +++ b/util/lua/lua_test.go @@ -5,7 +5,7 @@ import ( "fmt" "testing" - "github.com/argoproj/gitops-engine/pkg/health" + "github.com/argoproj/argo-cd/gitops-engine/pkg/health" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" lua "github.com/yuin/gopher-lua" diff --git a/util/notification/expression/expr.go b/util/notification/expression/expr.go index d34a83d434..c4b75809ec 100644 --- a/util/notification/expression/expr.go +++ b/util/notification/expression/expr.go @@ -1,6 +1,8 @@ package expression import ( + "maps" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" service "github.com/argoproj/argo-cd/v3/util/notification/argocd" @@ -27,9 +29,7 @@ func Spawn(app *unstructured.Unstructured, argocdService service.Service, vars m for k := range vars { clone[k] = vars[k] } - for namespace, helper := range helpers { - clone[namespace] = helper - } + maps.Copy(clone, helpers) clone["repo"] = repo.NewExprs(argocdService, app) return clone diff --git a/util/notification/settings/legacy.go b/util/notification/settings/legacy.go index 5adc9a4473..c612d5aadb 100644 --- a/util/notification/settings/legacy.go +++ b/util/notification/settings/legacy.go @@ -3,6 +3,7 @@ package settings import ( "encoding/json" "fmt" + "maps" "strings" "github.com/argoproj/notifications-engine/pkg/api" @@ -229,8 +230,6 @@ func injectLegacyVar(ctx map[string]string, serviceType string) map[string]strin res := map[string]string{ "notificationType": serviceType, } - for k, v := range ctx { - res[k] = v - } + maps.Copy(res, ctx) return res } diff --git a/util/oci/client.go b/util/oci/client.go index 9517c0cd44..256aab4a19 100644 --- a/util/oci/client.go +++ b/util/oci/client.go @@ -518,7 +518,7 @@ func isContentLayer(mediaType string) bool { func isCompressedLayer(mediaType string) bool { // TODO: Is zstd something which is used in the wild? For now let's stick to these suffixes - return strings.HasSuffix(mediaType, "tar+gzip") || strings.HasSuffix(mediaType, "tar") + return strings.HasSuffix(mediaType, "tar+gzip") || strings.HasSuffix(mediaType, "tar.gzip") || strings.HasSuffix(mediaType, "tar") } func createTarFile(from, to string) error { @@ -625,7 +625,7 @@ func (s *compressedLayerExtracterStore) Push(ctx context.Context, desc imagev1.D } defer os.RemoveAll(srcDir) - if strings.HasSuffix(desc.MediaType, "tar+gzip") { + if strings.HasSuffix(desc.MediaType, "tar+gzip") || strings.HasSuffix(desc.MediaType, "tar.gzip") { err = files.Untgz(srcDir, content, s.maxSize, false) } else { err = files.Untar(srcDir, content, s.maxSize, false) diff --git a/util/oci/client_test.go b/util/oci/client_test.go index db5f5c95b9..0982cb99fd 100644 --- a/util/oci/client_test.go +++ b/util/oci/client_test.go @@ -259,6 +259,31 @@ func Test_nativeOCIClient_Extract(t *testing.T) { disableManifestMaxExtractedSize: false, }, }, + { + name: "extraction with docker rootfs tar.gzip layer", + fields: fields{ + allowedMediaTypes: []string{"application/vnd.docker.image.rootfs.diff.tar.gzip"}, + }, + args: args{ + digestFunc: func(store *memory.Store) string { + layerBlob := createGzippedTarWithContent(t, "foo.yaml", "some content") + return generateManifest(t, store, layerConf{content.NewDescriptorFromBytes("application/vnd.docker.image.rootfs.diff.tar.gzip", layerBlob), layerBlob}) + }, + postValidationFunc: func(_, path string, _ Client, _ fields, _ args) { + manifestDir, err := os.ReadDir(path) + require.NoError(t, err) + require.Len(t, manifestDir, 1) + require.Equal(t, "foo.yaml", manifestDir[0].Name()) + f, err := os.Open(filepath.Join(path, manifestDir[0].Name())) + require.NoError(t, err) + contents, err := io.ReadAll(f) + require.NoError(t, err) + require.Equal(t, "some content", string(contents)) + }, + manifestMaxExtractedSize: 1000, + disableManifestMaxExtractedSize: false, + }, + }, { name: "extraction with standard gzip layer using cache", fields: fields{ diff --git a/util/oidc/oidc.go b/util/oidc/oidc.go index 61f63152a7..4a7c9dffc6 100644 --- a/util/oidc/oidc.go +++ b/util/oidc/oidc.go @@ -14,10 +14,17 @@ import ( "net/url" "os" "path" + "slices" "strings" "sync" "time" + "go.opentelemetry.io/otel/codes" + + "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/attribute" + "go.opentelemetry.io/otel/trace" + gooidc "github.com/coreos/go-oidc/v3/oidc" "github.com/golang-jwt/jwt/v5" log "github.com/sirupsen/logrus" @@ -37,6 +44,13 @@ import ( var ErrInvalidRedirectURL = errors.New("invalid return URL") +// OpenTelemetry tracer for this package +var tracer trace.Tracer + +func init() { + tracer = otel.Tracer("github.com/argoproj/argo-cd/v3/util/oidc") +} + const ( GrantTypeAuthorizationCode = "authorization_code" GrantTypeImplicit = "implicit" @@ -146,6 +160,9 @@ func GetOidcTokenCacheFromJSON(jsonBytes []byte) (*OidcTokenCache, error) { // GetTokenSourceFromCache creates an oauth2 TokenSource from a cached oidc token. The TokenSource will be configured // with an early expiration based on the refreshTokenThreshold. func (a *ClientApp) GetTokenSourceFromCache(ctx context.Context, oidcTokenCache *OidcTokenCache) (oauth2.TokenSource, error) { + var span trace.Span + ctx, span = tracer.Start(ctx, "oidc.ClientApp.GetTokenSourceFromCache") + defer span.End() if oidcTokenCache == nil { return nil, errors.New("oidcTokenCache is required") } @@ -197,10 +214,18 @@ func NewClientApp(settings *settings.ArgoCDSettings, dexServerAddr string, dexTL transport := &http.Transport{ Proxy: http.ProxyFromEnvironment, - Dial: (&net.Dialer{ - Timeout: 30 * time.Second, - KeepAlive: 30 * time.Second, - }).Dial, + DialContext: func(ctx context.Context, network, addr string) (net.Conn, error) { + _, span := tracer.Start(ctx, "oidc.ClientApp.client") + defer span.End() + span.SetAttributes( + attribute.String("network", network), + attribute.String("addr", addr), + ) + return (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + }).Dial(network, addr) + }, TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, } @@ -540,7 +565,7 @@ func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request) { } // save the accessToken in memory for later use sub := jwtutil.StringField(claims, "sub") - err = a.SetValueInEncryptedCache(FormatAccessTokenCacheKey(sub), []byte(token.AccessToken), GetTokenExpiration(claims)) + err = a.SetValueInEncryptedCache(ctx, FormatAccessTokenCacheKey(sub), []byte(token.AccessToken), GetTokenExpiration(claims)) if err != nil { claimsJSON, _ := json.Marshal(claims) log.Errorf("cannot cache encrypted accessToken: %v (claims=%s)", err, claimsJSON) @@ -556,7 +581,7 @@ func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request) { return } sid := jwtutil.StringField(claims, "sid") - err = a.SetValueInEncryptedCache(formatOidcTokenCacheKey(sub, sid), oidcTokenCacheJSON, GetTokenExpiration(claims)) + err = a.SetValueInEncryptedCache(ctx, formatOidcTokenCacheKey(sub, sid), oidcTokenCacheJSON, GetTokenExpiration(claims)) if err != nil { claimsJSON, _ := json.Marshal(claims) log.Errorf("cannot cache encrypted oidc token: %v (claims=%s)", err, claimsJSON) @@ -586,30 +611,48 @@ func (a *ClientApp) HandleCallback(w http.ResponseWriter, r *http.Request) { // GetValueFromEncryptedCache is a convenience method for retreiving a value from cache and decrypting it. If the cache // does not contain a value for the given key, a nil value is returned. Return handling should check for error and then // check for nil. -func (a *ClientApp) GetValueFromEncryptedCache(key string) (value []byte, err error) { +func (a *ClientApp) GetValueFromEncryptedCache(ctx context.Context, key string) (value []byte, err error) { + _, span := tracer.Start(ctx, "oidc.ClientApp.GetValueFromEncryptedCache") + defer span.End() var encryptedValue []byte + span.AddEvent("start cache read") err = a.clientCache.Get(key, &encryptedValue) + span.AddEvent("end cache read") if err != nil { if errors.Is(err, cache.ErrCacheMiss) { + span.SetAttributes(attribute.Bool("cache_hit", false)) // Return nil to signify a cache miss return nil, nil } - return nil, fmt.Errorf("failed to get encrypted value from cache: %w", err) + err = fmt.Errorf("failed to get encrypted value from cache: %w", err) + span.SetStatus(codes.Error, err.Error()) + return nil, err } + span.SetAttributes(attribute.Bool("cache_hit", true)) value, err = crypto.Decrypt(encryptedValue, a.encryptionKey) if err != nil { - return nil, fmt.Errorf("failed to decrypt value from cache: %w", err) + err = fmt.Errorf("failed to decrypt value from cache: %w", err) + span.SetStatus(codes.Error, err.Error()) + return nil, err } return value, err } // SetValueFromEncyrptedCache is a convenience method for encrypting a value and storing it in the cache at a given key. // Cache expiration is set based on input. -func (a *ClientApp) SetValueInEncryptedCache(key string, value []byte, expiration time.Duration) error { +func (a *ClientApp) SetValueInEncryptedCache(ctx context.Context, key string, value []byte, expiration time.Duration) error { + _, span := tracer.Start(ctx, "oidc.ClientApp.SetValueInEncryptedCache") + defer span.End() encryptedValue, err := crypto.Encrypt(value, a.encryptionKey) if err != nil { + span.SetStatus(codes.Error, err.Error()) return err } + span.SetAttributes( + attribute.String("key", key), + attribute.Int("value_length", len(value)), + ) + span.AddEvent("start cache write") err = a.clientCache.Set(&cache.Item{ Key: key, Object: encryptedValue, @@ -617,25 +660,38 @@ func (a *ClientApp) SetValueInEncryptedCache(key string, value []byte, expiratio Expiration: expiration, }, }) + span.AddEvent("end cache write") if err != nil { + span.SetStatus(codes.Error, err.Error()) return err } return nil } func (a *ClientApp) CheckAndRefreshToken(ctx context.Context, groupClaims jwt.MapClaims, refreshTokenThreshold time.Duration) (string, error) { + var span trace.Span + ctx, span = tracer.Start(ctx, "oidc.ClientApp.CheckAndRefreshToken") + defer span.End() + iss := jwtutil.StringField(groupClaims, "iss") sub := jwtutil.StringField(groupClaims, "sub") sid := jwtutil.StringField(groupClaims, "sid") + span.SetAttributes( + attribute.String("iss", iss), + attribute.String("sub", sub), + attribute.String("sid", sid)) if GetTokenExpiration(groupClaims) < refreshTokenThreshold { token, err := a.GetUpdatedOidcTokenFromCache(ctx, sub, sid) if err != nil { log.Errorf("Failed to get token from cache: %v", err) + span.SetStatus(codes.Error, err.Error()) return "", err } if token != nil { idTokenRAW, ok := token.Extra("id_token").(string) if !ok { - return "", errors.New("empty id_token") + err = errors.New("empty id_token") + span.SetStatus(codes.Error, err.Error()) + return "", err } return idTokenRAW, nil } @@ -646,12 +702,21 @@ func (a *ClientApp) CheckAndRefreshToken(ctx context.Context, groupClaims jwt.Ma // GetUpdatedOidcTokenFromCache fetches a token from cache and refreshes it if under the threshold for expiration. // The cached token will also be updated if it is refreshed. Returns latest token or an error if the process fails. func (a *ClientApp) GetUpdatedOidcTokenFromCache(ctx context.Context, subject string, sessionId string) (*oauth2.Token, error) { + var span trace.Span + ctx, span = tracer.Start(ctx, "oidc.ClientApp.GetUpdatedOidcTokenFromCache") + defer span.End() + ctx = gooidc.ClientContext(ctx, a.client) + span.SetAttributes( + attribute.String("subject", subject), + attribute.String("sessionId", sessionId), + ) // Get oauth2 config cacheKey := formatOidcTokenCacheKey(subject, sessionId) - oidcTokenCacheJSON, err := a.GetValueFromEncryptedCache(cacheKey) + oidcTokenCacheJSON, err := a.GetValueFromEncryptedCache(ctx, cacheKey) if err != nil { + span.SetStatus(codes.Error, err.Error()) return nil, err } if oidcTokenCacheJSON == nil { @@ -661,25 +726,35 @@ func (a *ClientApp) GetUpdatedOidcTokenFromCache(ctx context.Context, subject st oidcTokenCache, err := GetOidcTokenCacheFromJSON(oidcTokenCacheJSON) if err != nil { err = fmt.Errorf("failed to unmarshal cached oidc token: %w", err) + span.SetStatus(codes.Error, err.Error()) return nil, err } tokenSource, err := a.GetTokenSourceFromCache(ctx, oidcTokenCache) if err != nil { err = fmt.Errorf("failed to get token source from cached oidc token: %w", err) + span.SetStatus(codes.Error, err.Error()) return nil, err } + span.AddEvent("starting tokenSource.Token()") token, err := tokenSource.Token() + span.AddEvent("finished tokenSource.Token()") if err != nil { - return nil, fmt.Errorf("failed to refresh token from source: %w", err) + err = fmt.Errorf("failed to refresh token from source: %w", err) + span.SetStatus(codes.Error, err.Error()) + return nil, err } if token.AccessToken != oidcTokenCache.Token.AccessToken { + span.AddEvent("updating cache with latest token") oidcTokenCache = NewOidcTokenCache(oidcTokenCache.RedirectURL, token) oidcTokenCacheJSON, err = json.Marshal(oidcTokenCache) if err != nil { - return nil, fmt.Errorf("failed to marshal oidc oidcTokenCache refresher: %w", err) + err = fmt.Errorf("failed to marshal oidc oidcTokenCache refresher: %w", err) + span.SetStatus(codes.Error, err.Error()) + return nil, err } - err = a.SetValueInEncryptedCache(cacheKey, oidcTokenCacheJSON, time.Until(token.Expiry)) + err = a.SetValueInEncryptedCache(ctx, cacheKey, oidcTokenCacheJSON, time.Until(token.Expiry)) if err != nil { + span.SetStatus(codes.Error, err.Error()) return nil, err } } @@ -750,12 +825,7 @@ func OfflineAccess(scopes []string) bool { return true } // See if scopes_supported has the "offline_access" scope. - for _, scope := range scopes { - if scope == gooidc.ScopeOfflineAccess { - return true - } - } - return false + return slices.Contains(scopes, gooidc.ScopeOfflineAccess) } // InferGrantType infers the proper grant flow depending on the OAuth2 client config and OIDC configuration. @@ -764,10 +834,8 @@ func InferGrantType(oidcConf *OIDCConfiguration) string { // Check the supported response types. If the list contains the response type 'code', // then grant type is 'authorization_code'. This is preferred over the implicit // grant type since refresh tokens cannot be issued that way. - for _, supportedType := range oidcConf.ResponseTypesSupported { - if supportedType == ResponseTypeCode { - return GrantTypeAuthorizationCode - } + if slices.Contains(oidcConf.ResponseTypesSupported, ResponseTypeCode) { + return GrantTypeAuthorizationCode } // Assume implicit otherwise @@ -833,6 +901,9 @@ func (a *ClientApp) SetGroupsFromUserInfo(ctx context.Context, claims jwt.Claims // GetUserInfo queries the IDP userinfo endpoint for claims func (a *ClientApp) GetUserInfo(ctx context.Context, actualClaims jwt.MapClaims, issuerURL, userInfoPath string) (jwt.MapClaims, bool, error) { + var span trace.Span + ctx, span = tracer.Start(ctx, "oidc.ClientApp.GetUserInfo") + defer span.End() sub := jwtutil.StringField(actualClaims, "sub") var claims jwt.MapClaims var encClaims []byte @@ -854,7 +925,7 @@ func (a *ClientApp) GetUserInfo(ctx context.Context, actualClaims jwt.MapClaims, } // check if the accessToken for the user is still present - accessTokenBytes, err := a.GetValueFromEncryptedCache(FormatAccessTokenCacheKey(sub)) + accessTokenBytes, err := a.GetValueFromEncryptedCache(ctx, FormatAccessTokenCacheKey(sub)) if err != nil { return claims, true, fmt.Errorf("could not read accessToken from cache for %s: %w", sub, err) } diff --git a/util/oidc/oidc_test.go b/util/oidc/oidc_test.go index ce0071bcec..4efb902412 100644 --- a/util/oidc/oidc_test.go +++ b/util/oidc/oidc_test.go @@ -627,7 +627,7 @@ func Test_azureApp_getFederatedServiceAccountToken(t *testing.T) { var wg sync.WaitGroup numGoroutines := 10 wg.Add(numGoroutines) - for i := 0; i < numGoroutines; i++ { + for range numGoroutines { go func() { defer wg.Done() _, err := app.getFederatedServiceAccountToken(t.Context()) @@ -647,7 +647,7 @@ func Test_azureApp_getFederatedServiceAccountToken(t *testing.T) { app.expires = time.Now() numGoroutines := 10 wg.Add(numGoroutines) - for i := 0; i < numGoroutines; i++ { + for range numGoroutines { go func() { defer wg.Done() _, err := app.getFederatedServiceAccountToken(t.Context()) @@ -1418,7 +1418,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL), if tt.insertIntoCache { oidcTokenCacheJSON, err := json.Marshal(tt.oidcTokenCache) require.NoError(t, err) - require.NoError(t, app.SetValueInEncryptedCache(formatOidcTokenCacheKey(tt.subject, tt.session), oidcTokenCacheJSON, time.Minute)) + require.NoError(t, app.SetValueInEncryptedCache(t.Context(), formatOidcTokenCacheKey(tt.subject, tt.session), oidcTokenCacheJSON, time.Minute)) } token, err := app.GetUpdatedOidcTokenFromCache(t.Context(), tt.subject, tt.session) if tt.expectErrorContains != "" { @@ -1509,7 +1509,7 @@ requestedScopes: ["oidc"]`, oidcTestServer.URL, tt.refreshTokenThreshold), require.NotEmpty(t, sub) sid := jwtutil.StringField(tt.groupClaims, "sid") require.NotEmpty(t, sid) - require.NoError(t, app.SetValueInEncryptedCache(formatOidcTokenCacheKey(sub, sid), oidcTokenCacheJSON, time.Minute)) + require.NoError(t, app.SetValueInEncryptedCache(t.Context(), formatOidcTokenCacheKey(sub, sid), oidcTokenCacheJSON, time.Minute)) token, err := app.CheckAndRefreshToken(t.Context(), tt.groupClaims, cdSettings.RefreshTokenThreshold()) if tt.expectErrorContains != "" { require.ErrorContains(t, err, tt.expectErrorContains) diff --git a/util/oidc/provider.go b/util/oidc/provider.go index 8cde5a664f..6e385804f4 100644 --- a/util/oidc/provider.go +++ b/util/oidc/provider.go @@ -7,6 +7,10 @@ import ( "net/http" "strings" + "go.opentelemetry.io/otel/attribute" + "go.opentelemetry.io/otel/codes" + "go.opentelemetry.io/otel/trace" + gooidc "github.com/coreos/go-oidc/v3/oidc" log "github.com/sirupsen/logrus" "golang.org/x/oauth2" @@ -103,8 +107,12 @@ func (p *providerImpl) Verify(ctx context.Context, tokenString string, argoSetti // // At this point, we have not verified that the token has not been altered. All code paths below MUST VERIFY // THE TOKEN SIGNATURE to confirm that an attacker did not maliciously remove the "aud" claim. + var span trace.Span + ctx, span = tracer.Start(ctx, "oidc.providerImpl.Verify") + defer span.End() unverifiedHasAudClaim, err := security.UnverifiedHasAudClaim(tokenString) if err != nil { + span.SetStatus(codes.Error, err.Error()) return nil, fmt.Errorf("failed to determine whether the token has an aud claim: %w", err) } @@ -113,7 +121,9 @@ func (p *providerImpl) Verify(ctx context.Context, tokenString string, argoSetti idToken, err = p.verify(ctx, "", tokenString, argoSettings.SkipAudienceCheckWhenTokenHasNoAudience()) } else { allowedAudiences := argoSettings.OAuth2AllowedAudiences() + span.SetAttributes(attribute.StringSlice("allowedAudiences", allowedAudiences)) if len(allowedAudiences) == 0 { + span.SetStatus(codes.Error, "token has an audience claim, but no allowed audiences are configured") return nil, errors.New("token has an audience claim, but no allowed audiences are configured") } tokenVerificationErrors := make(map[string]error) @@ -143,6 +153,7 @@ func (p *providerImpl) Verify(ctx context.Context, tokenString string, argoSetti } if err != nil { + span.SetStatus(codes.Error, err.Error()) return nil, fmt.Errorf("failed to verify provider token: %w", err) } @@ -150,8 +161,12 @@ func (p *providerImpl) Verify(ctx context.Context, tokenString string, argoSetti } func (p *providerImpl) verify(ctx context.Context, clientID, tokenString string, skipClientIDCheck bool) (*gooidc.IDToken, error) { + var span trace.Span + ctx, span = tracer.Start(ctx, "oidc.providerImpl.verify") + defer span.End() prov, err := p.provider() if err != nil { + span.SetStatus(codes.Error, fmt.Sprintf("failed to query provider: %v", err)) return nil, err } config := &gooidc.Config{ClientID: clientID, SkipClientIDCheck: skipClientIDCheck} @@ -166,16 +181,19 @@ func (p *providerImpl) verify(ctx context.Context, clientID, tokenString string, // 3. re-attempting token verification // NOTE: the error message is sensitive to implementation of verifier.Verify() if !strings.Contains(err.Error(), "failed to verify signature") { + span.SetStatus(codes.Error, fmt.Sprintf("error verifying token: %v", err)) return nil, err } newProvider, retryErr := p.newGoOIDCProvider() if retryErr != nil { + span.SetStatus(codes.Error, fmt.Sprintf("hack: error verifying token on retry: %v", err)) // return original error if we fail to re-initialize OIDC return nil, err } verifier = newProvider.Verifier(config) idToken, err = verifier.Verify(ctx, tokenString) if err != nil { + span.SetStatus(codes.Error, fmt.Sprintf("hack: error verifying token: %v", err)) return nil, err } // If we get here, we successfully re-initialized OIDC and after re-initialization, diff --git a/util/password/password.go b/util/password/password.go index 41f34f079e..36789f3560 100644 --- a/util/password/password.go +++ b/util/password/password.go @@ -85,10 +85,7 @@ func (h DummyPasswordHasher) VerifyPassword(password, hashedPassword string) boo // HashPassword creates a one-way digest ("hash") of a password. In the case of Bcrypt, a pseudorandom salt is included automatically by the underlying library. For security reasons, the work factor is always at _least_ bcrypt.DefaultCost. func (h BcryptPasswordHasher) HashPassword(password string) (string, error) { - cost := h.Cost - if cost < bcrypt.DefaultCost { - cost = bcrypt.DefaultCost - } + cost := max(h.Cost, bcrypt.DefaultCost) hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), cost) if err != nil { hashedPassword = []byte("") diff --git a/util/rand/rand.go b/util/rand/rand.go index 82603da176..9b2853c053 100644 --- a/util/rand/rand.go +++ b/util/rand/rand.go @@ -18,7 +18,7 @@ func String(n int) (string, error) { func StringFromCharset(n int, charset string) (string, error) { b := make([]byte, n) maxIdx := big.NewInt(int64(len(charset))) - for i := 0; i < n; i++ { + for i := range n { randIdx, err := rand.Int(rand.Reader, maxIdx) if err != nil { return "", fmt.Errorf("failed to generate random string: %w", err) diff --git a/util/rbac/rbac.go b/util/rbac/rbac.go index ac50ac45ae..1d555341a3 100644 --- a/util/rbac/rbac.go +++ b/util/rbac/rbac.go @@ -570,7 +570,7 @@ func newAdapter(builtinPolicy, userDefinedPolicy, runtimePolicy string) *argocdA func (a *argocdAdapter) LoadPolicy(model model.Model) error { for _, policyStr := range []string{a.builtinPolicy, a.userDefinedPolicy, a.runtimePolicy} { - for _, line := range strings.Split(policyStr, "\n") { + for line := range strings.SplitSeq(policyStr, "\n") { if err := loadPolicyLine(strings.TrimSpace(line), model); err != nil { return err } diff --git a/util/rbac/rbac_norace_test.go b/util/rbac/rbac_norace_test.go index 2192ad8113..912d8b081c 100644 --- a/util/rbac/rbac_norace_test.go +++ b/util/rbac/rbac_norace_test.go @@ -1,5 +1,4 @@ //go:build !race -// +build !race package rbac diff --git a/util/resource/revision_test.go b/util/resource/revision_test.go index 38927fa397..d8b3ee7ae6 100644 --- a/util/resource/revision_test.go +++ b/util/resource/revision_test.go @@ -3,7 +3,7 @@ package resource import ( "testing" - . "github.com/argoproj/gitops-engine/pkg/utils/testing" + . "github.com/argoproj/argo-cd/gitops-engine/pkg/utils/testing" "github.com/stretchr/testify/assert" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" diff --git a/util/session/sessionmanager.go b/util/session/sessionmanager.go index e1fad660fd..1c98319129 100644 --- a/util/session/sessionmanager.go +++ b/util/session/sessionmanager.go @@ -13,6 +13,11 @@ import ( "sync" "time" + otel_codes "go.opentelemetry.io/otel/codes" + + "go.opentelemetry.io/otel" + "go.opentelemetry.io/otel/trace" + "github.com/coreos/go-oidc/v3/oidc" "github.com/golang-jwt/jwt/v5" "github.com/google/uuid" @@ -100,6 +105,13 @@ const ( var InvalidLoginErr = status.Errorf(codes.Unauthenticated, invalidLoginError) +// OpenTelemetry tracer for this package +var tracer trace.Tracer + +func init() { + tracer = otel.Tracer("github.com/argoproj/argo-cd/v3/util/session") +} + // Returns the maximum cache size as number of entries func getMaximumCacheSize() int { return env.ParseNumFromEnv(envLoginMaxCacheSize, defaultMaxCacheSize, 1, math.MaxInt32) @@ -536,6 +548,9 @@ func WithAuthMiddleware(disabled bool, isSSOConfigured bool, ssoClientApp *oidcu // VerifyToken verifies if a token is correct. Tokens can be issued either from us or by an IDP. // We choose how to verify based on the issuer. func (mgr *SessionManager) VerifyToken(ctx context.Context, tokenString string) (jwt.Claims, string, error) { + var span trace.Span + ctx, span = tracer.Start(ctx, "session.SessionManager.VerifyToken") + defer span.End() parser := jwt.NewParser(jwt.WithoutClaimsValidation()) claims := jwt.MapClaims{} _, _, err := parser.ParseUnverified(tokenString, &claims) @@ -568,7 +583,9 @@ func (mgr *SessionManager) VerifyToken(ctx context.Context, tokenString string) // return a dummy claims only containing a value for the issuer, so the // UI can handle expired tokens appropriately. if err != nil { - log.Warnf("Failed to verify session token: %s", err) + errorMsg := "Failed to verify session token: " + err.Error() + span.SetStatus(otel_codes.Error, errorMsg) + log.Warn(errorMsg) tokenExpiredError := &oidc.TokenExpiredError{} if errors.As(err, &tokenExpiredError) { claims = jwt.MapClaims{ diff --git a/util/session/sessionmanager_norace_test.go b/util/session/sessionmanager_norace_test.go index 083074fae1..5271ed665e 100644 --- a/util/session/sessionmanager_norace_test.go +++ b/util/session/sessionmanager_norace_test.go @@ -1,5 +1,4 @@ //go:build !race -// +build !race package session @@ -27,7 +26,7 @@ func TestRandomPasswordVerificationDelay(t *testing.T) { mgr.sleep = func(d time.Duration) { sleptFor = d } - for i := 0; i < 10; i++ { + for range 10 { sleptFor = 0 start := time.Now() require.NoError(t, mgr.VerifyUsernamePassword("admin", "password")) diff --git a/util/session/sessionmanager_test.go b/util/session/sessionmanager_test.go index 1605d72be3..59d4f07f7d 100644 --- a/util/session/sessionmanager_test.go +++ b/util/session/sessionmanager_test.go @@ -7,6 +7,7 @@ import ( stderrors "errors" "fmt" "io" + "maps" "math" "net/http" "net/http/httptest" @@ -358,7 +359,6 @@ func TestSessionManager_WithAuthMiddleware(t *testing.T) { }, } for _, tc := range cases { - tc := tc t.Run(tc.name, func(t *testing.T) { // given mux := http.NewServeMux() @@ -616,13 +616,13 @@ func TestLoginRateLimiter(t *testing.T) { } func TestMaxUsernameLength(t *testing.T) { - username := "" - for i := 0; i < maxUsernameLength+1; i++ { - username += "a" + var username strings.Builder + for range maxUsernameLength + 1 { + username.WriteString("a") } settingsMgr := settings.NewSettingsManager(t.Context(), getKubeClient(t, "password", true), "argocd") mgr := newSessionManager(settingsMgr, getProjLister(), NewUserStateStorage(nil)) - err := mgr.VerifyUsernamePassword(username, "password") + err := mgr.VerifyUsernamePassword(username.String(), "password") assert.ErrorContains(t, err, fmt.Sprintf(usernameTooLongError, maxUsernameLength)) } @@ -666,9 +666,7 @@ func getKubeClientWithConfig(config map[string]string, secretConfig map[string][ mergedSecretConfig := map[string][]byte{ "server.secretkey": []byte("Hello, world!"), } - for key, value := range secretConfig { - mergedSecretConfig[key] = value - } + maps.Copy(mergedSecretConfig, secretConfig) return fake.NewClientset(&corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -1307,7 +1305,7 @@ func Test_PickFailureAttemptWhenOverflowed(t *testing.T) { } // inside pickRandomNonAdminLoginFailure, it uses random, so we need to test it multiple times - for i := 0; i < 1000; i++ { + for range 1000 { user := pickRandomNonAdminLoginFailure(failures, "test") assert.Equal(t, "test2", *user) } @@ -1327,7 +1325,7 @@ func Test_PickFailureAttemptWhenOverflowed(t *testing.T) { } // inside pickRandomNonAdminLoginFailure, it uses random, so we need to test it multiple times - for i := 0; i < 1000; i++ { + for range 1000 { user := pickRandomNonAdminLoginFailure(failures, "test") assert.Equal(t, "test2", *user) } diff --git a/util/settings/accounts.go b/util/settings/accounts.go index 295e5d1448..e10cfd31fe 100644 --- a/util/settings/accounts.go +++ b/util/settings/accounts.go @@ -3,6 +3,7 @@ package settings import ( "encoding/json" "fmt" + "slices" "strconv" "strings" "time" @@ -86,12 +87,7 @@ func (a *Account) TokenIndex(id string) int { // HasCapability return true if the account has the specified capability. func (a *Account) HasCapability(capability AccountCapability) bool { - for _, c := range a.Capabilities { - if c == capability { - return true - } - } - return false + return slices.Contains(a.Capabilities, capability) } func (mgr *SettingsManager) saveAccount(name string, account Account) error { @@ -263,7 +259,7 @@ func parseAccounts(secret *corev1.Secret, cm *corev1.ConfigMap) (map[string]Acco } switch suffix { case "": - for _, capability := range strings.Split(val, ",") { + for capability := range strings.SplitSeq(val, ",") { capability = strings.TrimSpace(capability) if capability == "" { continue diff --git a/util/settings/cluster_informer.go b/util/settings/cluster_informer.go index ac4f69d4e7..8f8e6689bc 100644 --- a/util/settings/cluster_informer.go +++ b/util/settings/cluster_informer.go @@ -177,7 +177,7 @@ func secretToCluster(s *corev1.Secret) (*appv1.Cluster, error) { } var namespaces []string - for _, ns := range strings.Split(string(s.Data["namespaces"]), ",") { + for ns := range strings.SplitSeq(string(s.Data["namespaces"]), ",") { if ns = strings.TrimSpace(ns); ns != "" { namespaces = append(namespaces, ns) } diff --git a/util/settings/cluster_informer_test.go b/util/settings/cluster_informer_test.go index 86a662c4f5..dfe62cf617 100644 --- a/util/settings/cluster_informer_test.go +++ b/util/settings/cluster_informer_test.go @@ -1,5 +1,4 @@ //go:build race -// +build race package settings diff --git a/util/settings/settings.go b/util/settings/settings.go index a45fa60ad9..dd8c6c1b15 100644 --- a/util/settings/settings.go +++ b/util/settings/settings.go @@ -32,7 +32,7 @@ import ( "k8s.io/client-go/tools/cache" "sigs.k8s.io/yaml" - enginecache "github.com/argoproj/gitops-engine/pkg/cache" + enginecache "github.com/argoproj/argo-cd/gitops-engine/pkg/cache" timeutil "github.com/argoproj/pkg/v2/time" "github.com/argoproj/argo-cd/v3/common" @@ -1196,7 +1196,7 @@ func (mgr *SettingsManager) GetHelmSettings() (*v1alpha1.HelmOptions, error) { } helmOptions := &v1alpha1.HelmOptions{} if value, ok := argoCDCM.Data[helmValuesFileSchemesKey]; ok { - for _, item := range strings.Split(value, ",") { + for item := range strings.SplitSeq(value, ",") { if item := strings.TrimSpace(item); item != "" { helmOptions.ValuesFileSchemes = append(helmOptions.ValuesFileSchemes, item) } @@ -1335,13 +1335,13 @@ func (mgr *SettingsManager) GetSettings() (*ArgoCDSettings, error) { var settings ArgoCDSettings var errs []error - updateSettingsFromConfigMap(&settings, argoCDCM) if err := mgr.updateSettingsFromSecret(&settings, argoCDSecret, secrets); err != nil { errs = append(errs, err) } if len(errs) > 0 { return &settings, errors.Join(errs...) } + updateSettingsFromConfigMap(&settings, argoCDCM) return &settings, nil } @@ -1550,8 +1550,8 @@ func updateSettingsFromConfigMap(settings *ArgoCDSettings, argoCDCM *corev1.Conf func getExtensionConfigs(cmData map[string]string) map[string]string { result := make(map[string]string) for k, v := range cmData { - if strings.HasPrefix(k, extensionConfig) { - extName := strings.TrimPrefix(strings.TrimPrefix(k, extensionConfig), ".") + if extName, found := strings.CutPrefix(k, extensionConfig); found { + extName = strings.TrimPrefix(extName, ".") result[extName] = v } } @@ -2156,7 +2156,7 @@ func (mgr *SettingsManager) InitializeSettings(insecureModeEnabled bool) (*ArgoC now := time.Now().UTC() if adminAccount.PasswordHash == "" { randBytes := make([]byte, initialPasswordLength) - for i := 0; i < initialPasswordLength; i++ { + for i := range initialPasswordLength { num, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters)))) if err != nil { return err @@ -2370,8 +2370,7 @@ func (mgr *SettingsManager) GetSensitiveAnnotations() map[string]bool { } value = strings.ReplaceAll(value, " ", "") - keys := strings.Split(value, ",") - for _, k := range keys { + for k := range strings.SplitSeq(value, ",") { annotationKeys[k] = true } return annotationKeys diff --git a/util/settings/settings_test.go b/util/settings/settings_test.go index fa6b3d64f6..f02a01b455 100644 --- a/util/settings/settings_test.go +++ b/util/settings/settings_test.go @@ -5,6 +5,7 @@ import ( "crypto/tls" "crypto/x509" "fmt" + "maps" "net/http" "os" "sort" @@ -135,7 +136,6 @@ func TestGetExtensionConfigs(t *testing.T) { } for _, tc := range testCases { - tc := tc t.Run(tc.name, func(t *testing.T) { // When output := getExtensionConfigs(tc.input) @@ -545,9 +545,7 @@ func TestGetResourceOverrides_with_splitted_keys(t *testing.T) { } func mergemaps(mapA map[string]string, mapB map[string]string) map[string]string { - for k, v := range mapA { - mapB[k] = v - } + maps.Copy(mapB, mapA) return mapB } @@ -1873,8 +1871,6 @@ rootCA: "invalid"`}, } for _, testCase := range testCases { - testCase := testCase - t.Run(testCase.name, func(t *testing.T) { if testCase.expectNilTLSConfig { assert.Nil(t, testCase.settings.OIDCTLSConfig()) diff --git a/util/templates/normalizers.go b/util/templates/normalizers.go index 8dcbc31bef..d76219b4f8 100644 --- a/util/templates/normalizers.go +++ b/util/templates/normalizers.go @@ -25,7 +25,7 @@ func (s normalizer) trim() normalizer { func (s normalizer) indent() normalizer { indentedLines := []string{} - for _, line := range strings.Split(s.string, "\n") { + for line := range strings.SplitSeq(s.string, "\n") { trimmed := strings.TrimSpace(line) indented := Indentation + trimmed indentedLines = append(indentedLines, indented) diff --git a/util/tls/tls.go b/util/tls/tls.go index 4e671c631c..36b9e3909b 100644 --- a/util/tls/tls.go +++ b/util/tls/tls.go @@ -87,7 +87,7 @@ func getTLSCipherSuitesByString(cipherSuites string) ([]uint16, error) { suiteMap[s.Name] = s.ID } allowedSuites := make([]uint16, 0) - for _, s := range strings.Split(cipherSuites, ":") { + for s := range strings.SplitSeq(cipherSuites, ":") { id, ok := suiteMap[strings.TrimSpace(s)] if !ok { return nil, fmt.Errorf("invalid cipher suite specified: %s", s) diff --git a/util/versions/tags.go b/util/versions/tags.go index 0223b910b7..3a9d3d2585 100644 --- a/util/versions/tags.go +++ b/util/versions/tags.go @@ -3,6 +3,7 @@ package versions import ( "errors" "fmt" + "slices" log "github.com/sirupsen/logrus" @@ -29,10 +30,8 @@ func MaxVersion(revision string, tags []string) (string, error) { if err != nil { log.Debugf("Revision '%s' is not a valid semver constraint, resolving via basic string equality.", revision) // If this is also an invalid constraint, we just iterate over available tags to determine if it is valid/invalid. - for _, tag := range tags { - if tag == revision { - return revision, nil - } + if slices.Contains(tags, revision) { + return revision, nil } return "", fmt.Errorf("failed to determine semver constraint: %w", err) } diff --git a/util/webhook/webhook.go b/util/webhook/webhook.go index 879e6c6938..93a0a0ed09 100644 --- a/util/webhook/webhook.go +++ b/util/webhook/webhook.go @@ -131,10 +131,8 @@ func NewHandler(namespace string, applicationNamespaces []string, webhookParalle func (a *ArgoCDWebhookHandler) startWorkerPool(webhookParallelism int) { compLog := log.WithField("component", "api-server-webhook") - for i := 0; i < webhookParallelism; i++ { - a.Add(1) - go func() { - defer a.Done() + for range webhookParallelism { + a.Go(func() { for { payload, ok := <-a.queue if !ok { @@ -142,7 +140,7 @@ func (a *ArgoCDWebhookHandler) startWorkerPool(webhookParallelism int) { } guard.RecoverAndLog(func() { a.HandleEvent(payload) }, compLog, panicMsgServer) } - }() + }) } } @@ -481,7 +479,7 @@ func (a *ArgoCDWebhookHandler) storePreviouslyCachedManifests(app *v1alpha1.Appl cache.LogDebugManifestCacheKeyFields("moving manifests cache", "webhook app revision changed", change.shaBefore, &source, refSources, &clusterInfo, app.Spec.Destination.Namespace, trackingMethod, appInstanceLabelKey, app.Name, nil) - if err := a.repoCache.SetNewRevisionManifests(change.shaAfter, change.shaBefore, &source, refSources, &clusterInfo, app.Spec.Destination.Namespace, trackingMethod, appInstanceLabelKey, app.Name, nil, installationID); err != nil { + if err := a.repoCache.SetNewRevisionManifests(change.shaAfter, change.shaBefore, &source, refSources, refSources, &clusterInfo, app.Spec.Destination.Namespace, trackingMethod, appInstanceLabelKey, app.Name, nil, nil, installationID); err != nil { return fmt.Errorf("error setting new revision manifests: %w", err) } diff --git a/util/webhook/webhook_test.go b/util/webhook/webhook_test.go index d2efa56610..747e586efa 100644 --- a/util/webhook/webhook_test.go +++ b/util/webhook/webhook_test.go @@ -523,7 +523,7 @@ func Test_affectedRevisionInfo_appRevisionHasChanged(t *testing.T) { // The payload's "push.changes[0].new.name" member seems to only have the branch name (based on the example payload). // https://support.atlassian.com/bitbucket-cloud/docs/event-payloads/#EventPayloads-Push var pl bitbucket.RepoPushPayload - err := json.Unmarshal([]byte(fmt.Sprintf(`{"push":{"changes":[{"new":{"name":%q}}]}}`, branchName)), &pl) + err := json.Unmarshal(fmt.Appendf(nil, `{"push":{"changes":[{"new":{"name":%q}}]}}`, branchName), &pl) require.NoError(t, err) return pl }