Fixed Critical CVE

incubating/argo-cd-sync/CHANGELOG.md

@@ -1,29 +1,35 @@
 # Changelog
 
+## [1.4.5] - 2024-04-04
+### Fixed
+- fixing CVEs
+- upgrade requirements.txt
+- install Python modules locally
+
 ## [1.4.4] - 2024-03-07
 ### Fixed
-Do not sync an application in auto-sync mode
-Check for application existence before anything is done
+- Do not sync an application in auto-sync mode
+- Check for application existence before anything is done
 
 ## [1.4.3] - 2024-02-22
 ### Fixed
-intercepting application not found for better error message
+- Intercepting application not found for better error message
 
 ### Changed
-Move the creation of the link to the application earlier
-Exit with error when app is in OUT_OF_SYNC state
+- Move the creation of the link to the application earlier
+- Exit with error when app is in OUT_OF_SYNC state
 
 ## [1.4.2] - 2024-01-17
 ### Changed
-New graphql call to speed up query
+- New graphql call to speed up query
 
 ## [1.4.1] - 2023-10-31
 ### Changed
-Add CA_BUNDLE option
+- Add CA_BUNDLE option
 
 ## [1.4.0] - 2023-10-30
 ### Changed
-Add INSECURE option
+- Add INSECURE option
 
 ## [1.3.1] - 2023-09-18
 ### Fixed

incubating/argo-cd-sync/Dockerfile

@@ -1,8 +1,16 @@
-FROM    python:3.12.0-bookworm
-WORKDIR /app
-COPY    requirements.txt requirements.txt
+FROM    python:3.13.0a5-bookworm
+
+
+# USER codefresh
+RUN useradd -d /home/codefresh -m -s /usr/bin/bash codefresh
+USER codefresh
+WORKDIR /home/codefresh
+
+ENV PYTHONPATH /home/codefresh/.local/lib/python3.13/site-packages/
+
+COPY    --chown=codefresh requirements.txt requirements.txt
 RUN     pip3 install --upgrade pip
-RUN     pip3 install -r requirements.txt
+RUN     pip3 install --user -r requirements.txt
 COPY    queries queries/
 COPY    argocd_sync.py run.py
 CMD     [ "python3", "run.py"]

incubating/argo-cd-sync/requirements.txt

@@ -1,11 +1,11 @@
 backoff==2.2.1
-certifi==2023.7.22
-charset-normalizer==3.1.0
-gql==3.4.0
+certifi==2024.2.2
+charset-normalizer==3.3.2
+gql==3.5.0
 graphql-core==3.2.3
-idna==3.4
-multidict==6.0.4
-requests==2.28.2
-requests-toolbelt==0.10.1
-urllib3==1.26.16
-yarl==1.9.2
+idna==3.6
+multidict==6.0.5
+requests==2.31.0
+requests-toolbelt==1.0.0
+urllib3==2.2.1
+yarl==1.9.4

incubating/argo-cd-sync/step.yaml

@@ -1,7 +1,7 @@
 kind: step-type
 metadata:
   name: argo-cd-sync
-  version: 1.4.4
+  version: 1.4.5
   isPublic: true
   description: Syncs Argo CD apps managed by our GitOps Runtimes
   sources:
@@ -120,7 +120,7 @@ spec:
         },
         "IMAGE_TAG": {
           "type": "string",
-          "default": "1.4.4",
+          "default": "1.4.5",
           "description": "OPTIONAL - To overwrite the tag to use"
         }
       }
@@ -157,7 +157,7 @@ spec:
       [[ if .Arguments.CA_BUNDLE ]]
         - echo [[ .Arguments.CA_BUNDLE ]] | base64 -d >/root/bundle.pem
       [[ end ]]
-        - cd /app
+        - cd /home/codefresh
         - python3 run.py
 
   delimiters: