argo-rollouts.advisories.yaml

schema-version: 2.0.2

package:
  name: argo-rollouts

advisories:
  - id: CGA-2j53-2h34-29mr
    aliases:
      - CVE-2025-1767
      - GHSA-3wgm-2gw2-vh5m
    events:
      - timestamp: 2025-03-15T08:41:42Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: 1b1ff84eefc656ff
            componentName: k8s.io/kubernetes
            componentVersion: v1.29.14
            componentType: go-module
            componentLocation: /usr/bin/kubectl-argo-rollouts
            scanner: grype
      - timestamp: 2025-03-18T01:32:23Z
        type: pending-upstream-fix
        data:
          note: 'The k8s.io CVE affecting this package is currently in the triage stage upstream, PR on the issue can be found here: https://github.com/kubernetes/kubernetes/issues/130786'

  - id: CGA-4x3w-pm5j-g8x7
    aliases:
      - CVE-2024-51744
      - GHSA-29wx-vh33-7x7r
    events:
      - timestamp: 2024-11-05T08:06:27Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: fe3ac507749aa853
            componentName: github.com/golang-jwt/jwt/v4
            componentVersion: v4.5.0
            componentType: go-module
            componentLocation: /usr/bin/rollouts-controller
            scanner: grype
      - timestamp: 2024-11-07T07:12:18Z
        type: fixed
        data:
          fixed-version: 1.7.2-r1

  - id: CGA-6mgv-3w46-mv3w
    aliases:
      - CVE-2024-45336
      - GHSA-7wrw-r4p8-38rx
    events:
      - timestamp: 2025-01-31T07:08:08Z
        type: fixed
        data:
          fixed-version: 1.7.2-r4

  - id: CGA-cwwf-5q56-9hrg
    aliases:
      - CVE-2025-0426
      - GHSA-jgfp-53c3-624w
    events:
      - timestamp: 2025-02-14T07:14:58Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: cd4a15041b9c8ebf
            componentName: k8s.io/kubernetes
            componentVersion: v1.29.7
            componentType: go-module
            componentLocation: /usr/bin/rollouts-controller
            scanner: grype
      - timestamp: 2025-02-17T13:19:31Z
        type: fixed
        data:
          fixed-version: 1.8.0-r2

  - id: CGA-f8h3-38xx-32ff
    aliases:
      - CVE-2024-45341
      - GHSA-3f6r-qh9c-x6mm
    events:
      - timestamp: 2025-01-31T07:08:09Z
        type: fixed
        data:
          fixed-version: 1.7.2-r4

  - id: CGA-m9rp-87wr-xj88
    aliases:
      - CVE-2024-45337
      - GHSA-v778-237x-gjrc
    events:
      - timestamp: 2024-12-12T16:45:24Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: a5dc50db9dd24a55
            componentName: golang.org/x/crypto
            componentVersion: v0.21.0
            componentType: go-module
            componentLocation: /usr/bin/rollouts-controller
            scanner: grype
      - timestamp: 2024-12-13T22:32:16Z
        type: fixed
        data:
          fixed-version: 1.7.2-r2

  - id: CGA-p5fw-6mr5-6cfw
    aliases:
      - CVE-2025-22869
    events:
      - timestamp: 2025-03-11T14:45:28Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: 8f66b3775d18c36a
            componentName: golang.org/x/crypto
            componentVersion: v0.31.0
            componentType: go-module
            componentLocation: /usr/bin/rollouts-controller
            scanner: grype
      - timestamp: 2025-03-12T05:20:44Z
        type: fixed
        data:
          fixed-version: 1.8.0-r31

  - id: CGA-qqjm-hgqw-8v2c
    aliases:
      - CVE-2024-45338
      - GHSA-w32m-9786-jp63
    events:
      - timestamp: 2024-12-19T07:16:08Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: cd6956faad16a4c2
            componentName: golang.org/x/net
            componentVersion: v0.25.0
            componentType: go-module
            componentLocation: /usr/bin/kubectl-argo-rollouts
            scanner: grype
      - timestamp: 2024-12-19T13:44:20Z
        type: fixed
        data:
          fixed-version: 1.7.2-r3

  - id: CGA-vx3x-3442-f593
    aliases:
      - GHSA-29qp-crvh-w22m
    events:
      - timestamp: 2025-01-31T07:04:30Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: ff7d645c95dff5e5
            componentName: github.com/hashicorp/yamux
            componentVersion: v0.1.1
            componentType: go-module
            componentLocation: /usr/bin/kubectl-argo-rollouts
            scanner: grype
      - timestamp: 2025-01-31T18:14:03Z
        type: true-positive-determination
        data:
          note: 'Awaiting release of fix by upstream dependency yamux: https://github.com/hashicorp/yamux/pull/143'
      - timestamp: 2025-02-07T07:06:48Z
        type: fixed
        data:
          fixed-version: 1.8.0-r0

  - id: CGA-vx45-986h-vq8v
    aliases:
      - CVE-2025-22866
      - GHSA-3whm-j4xm-rv8x
    events:
      - timestamp: 2025-02-08T10:08:35Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: 6d7592f3bfe6bab4
            componentName: stdlib
            componentVersion: go1.23.5
            componentType: go-module
            componentLocation: /usr/bin/rollouts-controller
            scanner: grype
      - timestamp: 2025-02-09T17:42:05Z
        type: fixed
        data:
          fixed-version: 1.8.0-r1

  - id: CGA-x47x-j946-782j
    aliases:
      - CVE-2025-30204
      - GHSA-mh63-6h87-95cp
    events:
      - timestamp: 2025-03-22T07:04:31Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: 716b2104dd0a94f0
            componentName: github.com/golang-jwt/jwt/v4
            componentVersion: v4.5.1
            componentType: go-module
            componentLocation: /usr/bin/kubectl-argo-rollouts
            scanner: grype
      - timestamp: 2025-03-24T07:54:22Z
        type: fixed
        data:
          fixed-version: 1.8.2-r0

  - id: CGA-x5vg-wx9v-2vc8
    aliases:
      - CVE-2025-22868
    events:
      - timestamp: 2025-03-11T14:45:25Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: 9af2a1c5fd759681
            componentName: golang.org/x/oauth2
            componentVersion: v0.24.0
            componentType: go-module
            componentLocation: /usr/bin/rollouts-controller
            scanner: grype
      - timestamp: 2025-03-12T23:16:58Z
        type: fixed
        data:
          fixed-version: 1.8.0-r32

  - id: CGA-xm67-85wp-mq2j
    aliases:
      - CVE-2025-22870
      - GHSA-qxp5-gwg8-xv66
    events:
      - timestamp: 2025-03-14T06:28:20Z
        type: detection
        data:
          type: scan/v1
          data:
            subpackageName: argo-rollouts
            componentID: 5d49bdc16c3711a0
            componentName: golang.org/x/net
            componentVersion: v0.33.0
            componentType: go-module
            componentLocation: /usr/bin/rollouts-controller
            scanner: grype
      - timestamp: 2025-03-14T23:24:02Z
        type: fixed
        data:
          fixed-version: 1.8.0-r33