github.com/argoproj/argo-cd/v2@v2.10.9/.snyk (about) 1 # Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities. 2 version: v1.22.1 3 # ignores vulnerabilities until expiry date; change duration by modifying expiry date 4 ignore: 5 SNYK-JS-ANSIREGEX-1583908: 6 - '*': 7 reason: >- 8 Code is only run client-side in the swagger-ui endpoint. No risk of 9 server-side DoS. 10 SNYK-CC-K8S-44: 11 - 'manifests/core-install.yaml > *': 12 reason: >- 13 Argo CD needs wide permissions to manage resources. 14 - 'manifests/install.yaml > *': 15 reason: >- 16 Argo CD needs wide permissions to manage resources. 17 SNYK-JS-MOMENT-2440688: 18 - '*': 19 reason: >- 20 Code is only run client-side. No risk of directory traversal. 21 SNYK-GOLANG-GITHUBCOMEMICKLEIGORESTFUL-2435653: 22 - '*': 23 reason: >- 24 Argo CD uses go-restful as a transitive dependency of kube-openapi. kube-openapi is used to generate openapi 25 specs. We do not use go-restul at runtime and are therefore not vulnerable to this CORS misconfiguration 26 issue in go-restful. 27 SNYK-JS-FORMIDABLE-2838956: 28 - '*': 29 reason: >- 30 Code is only run client-side. No risk of arbitrary file upload. 31 SNYK-JS-PARSEPATH-2936439: 32 - '*': 33 reason: >- 34 The issue is that, for specific URLs, parse-path may incorrectly identify the "resource" (domain name) 35 portion. For example, in "http://127.0.0.1#@example.com", it identifies "example.com" as the "resource". 36 37 We use parse-path on the client side, but permissions for git URLs are checked server-side. This is a 38 potential usability issue, but it is not a security issue. 39 patch: {} 40