Argocd app status CVE (#712)

Author: lrochette

Diff for: incubating/argocd-app-status/.gitignore

@@ -0,0 +1,3 @@
+build
+dist
+argocd_app_status.spec

Diff for: incubating/argocd-app-status/CHANGELOG.md

@@ -1,14 +1,24 @@
 # Changelog
-## [1.1.2] - 2023-09-18
+## [1.1.3] - 2024-11-20
 ### Changed
+* upgrade yarl to 1.17.2
+
+### Fixed
+* CVE-2024-45491 - upgrade libexpat1
+* CVE-2024-45492 - upgrade libexpat1
+* CVE-2024-37371 - upgrade libkrb5
+* CVE-2023-45853 - upgrade zlib1g
+
+## [1.1.2] - 2023-09-18
+
 
 ### Fixed
 - PYSEC-2023-135 - upgrade Python module certifi to 2023.7.22
 - CVE-2019-8457 - upgrade base image to python:3.11.5-slim-bookworm
 
 ## [1.1.1] - 2023-06-03
 ### Changed
-- Upgrade pythpn version to 3.11.3
+- Upgrade python version to 3.11.3
 
 ### Fixed
 - Link for application

Diff for: incubating/argocd-app-status/Dockerfile

@@ -1,7 +1,24 @@
-FROM    python:3.11.5-slim-bookworm
+# stage 1 Build
+# Bookworm is debian based
+FROM    python:3.13.1-slim-bookworm AS builder
 WORKDIR /app
 COPY    requirements.txt requirements.txt
-RUN     pip3 install -r requirements.txt
 COPY    queries queries/
 COPY    argocd_app_status.py argocd_app_status.py
-CMD     [ "python3", "argocd_app_status.py"]
+
+RUN apt-get update && apt-get install -y binutils
+RUN pip3 install -r requirements.txt
+RUN pip3 install pyinstaller
+RUN pyinstaller --strip --onefile argocd_app_status.py
+
+# stage 2 : Prod
+FROM    debian:bookworm-slim
+
+# USER cfuser
+RUN adduser cfuser --home /home/codefresh --shel /bin/sh
+USER cfuser
+
+WORKDIR /app
+COPY    queries queries/
+COPY    --from=builder /app/dist/argocd_app_status argocd_app_status
+ENTRYPOINT ["/app/argocd_app_status"]

Diff for: incubating/argocd-app-status/requirements.txt

@@ -5,10 +5,10 @@ docopt==0.6.2
 gql==3.4.0
 graphql-core==3.2.3
 idna==3.4
-multidict==6.0.4
+multidict==6.1.0
 pipreqs==0.4.13
 requests==2.31.0
 requests-toolbelt==0.10.1
 urllib3==1.26.16
 yarg==0.1.9
-yarl==1.9.2
+yarl==1.17.2

Diff for: incubating/argocd-app-status/step.yaml

@@ -1,7 +1,7 @@
 kind: step-type
 metadata:
   name: argocd-app-status
-  version: 1.1.2
+  version: 1.1.3
   isPublic: true
   description: Get Argo CD App status and return its sybc and health status
   sources:
@@ -61,7 +61,7 @@ spec:
         },
         "IMAGE_TAG": {
           "type": "string",
-          "default": "1.1.2",
+          "default": "1.1.3",
           "description": "OPTIONAL - To overwrite the tag to use"
         }
       }
@@ -97,7 +97,7 @@ spec:
       [[- end ]]
       commands:
         - cd /app
-        - python3 argocd_app_status.py
+        - /app/argocd_app_status
   delimiters:
     left: '[['
     right: ']]'