Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-8411

CVE-2025-55190 still blocking due to github.com/argoproj/argo-cd/v2@v2.14.11 in gitops-rhel8:v1.18.1

XMLWordPrintable

      Description of Problem

      • Banking and financial regulations enforce High severity images to be blocked. The CVE-2025-55190 classifies as such and was addressed. Unfortunately it seems that depending go modules still pull the vulnerable code and even if that isn't a security risk for the image, it blocks Customers in need to comply to BAFIN (Banking and Financial) regulations.

      Additional Info

      • We've verified that 1.18.1-2 should be good to go but it seems that either the Operator Catalog hasn't been updated or the Registry isn't referencing the correct image by tag.

      Problem Reproduction

      • tags 1.18.1 and 1.18.1-2 are referencing the same manifest
      $ skopeo inspect --raw docker://registry.redhat.io/openshift-gitops-1/console-plugin-rhel8:v1.18.1 | jq -r '.manifests[]|select(.platform.architecture=="amd64")|.digest'
sha256:22f95edd885609dfbf1b606fc5d41f2efa5361cbec1f1918e5d774a030779ea0

$ skopeo inspect --raw docker://registry.redhat.io/openshift-gitops-1/console-plugin-rhel8:v1.18.1-2 | jq -r '.manifests[]|select(.platform.architecture=="amd64")|.digest'
sha256:22f95edd885609dfbf1b606fc5d41f2efa5361cbec1f1918e5d774a030779ea0

      Reproducibility

      • Always

      Prerequisites/Environment

      • OpenShift 4.18+, XRay Scanner, Quay.io/Clair

      Steps to Reproduce

      • Enforce ACM/ACS to refuse running High severity images
      • Alternative checking on the CVE score should be sufficient to identify the issue

      Expected Results

      • Lower CVE score due to updates on the image source

      Actual Results

      • Blocked tue do high CVE score

      Problem Analysis

      • <Completed by engineering team as part of the triage/refinement process>

      Root Cause

      • <What is the root cause of the problem? Or, why is it not a bug?>

      Workaround (If Possible)

      • Add exception for Regulations to accept High severity Images to run in production.

      Fix Approaches

      • <If we decide to fix this bug, how will we do it?>

      Acceptance Criteria

      • ...

      Definition of Done

      • Code Complete:
        • All code has been written, reviewed, and approved.
      • Tested:
        • Unit tests have been written and passed.
        • Ensure code coverage is not reduced with the changes.
        • Integration tests have been automated.
        • System tests have been conducted, and all critical bugs have been fixed.
        • Tested and merged on OpenShift either upstream or downstream on a local build.
      • Documentation:
        • User documentation or release notes have been written (if applicable).
      • Build:
        • Code has been successfully built and integrated into the main repository / project.
        • Midstream changes (if applicable) are done, reviewed, approved and merged.
      • Review:
        • Code has been peer-reviewed and meets coding standards.
        • All acceptance criteria defined in the user story have been met.
        • Tested by reviewer on OpenShift.
      • Deployment:
        • The feature has been deployed on OpenShift cluster for testing.

              kykchong@redhat.com Keith Chong
              rhn-support-milang Michaela Lang
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: