Vulnerable golang version used to package applicationset-controller

[rimasgo]

Hello,

Applicationset-controller packaged using old golang version which contains vulnerabilities.

{
"name": "go",
"version": "1.17.6",
"path": "/usr/local/bin/applicationset-controller",
"layerTime": 1646920413,
"knownVulnerabilities": 55
},

CVEs:

CVE-2022-23806 | critical | | go | 1.17.6 | fixed in 1.17.7, 1.16.14 | 11-Feb-2022 00:00 | 21-Mar-2022 13:11
CVE-2022-24921 | high | | go | 1.17.6 | fixed in 1.17.8, 1.16.15 | 03-Mar-2022 00:00 | 21-Mar-2022 13:11
CVE-2022-23773 | high | | go | 1.17.6 | fixed in 1.17.7, 1.16.14 | 18-Nov-2019 00:00 | 21-Mar-2022 13:11
CVE-2022-23772 | high | | go | 1.17.6 | fixed in 1.17.7, 1.16.14 | 19-Jan-2022 00:00 | 21-Mar-2022 13:11

I have raised similar ticket for argocd package.

argoproj/argo-cd#8853

It was fixed under argoproj/argo-cd#8866

Could you please repackage the applicationset-controller and release new image with binary built with latest golang version?

Thanks!

[rishabh625]

@wtam2018 @jgwest : should we have to re release older version?

[jgwest]

None of the CVEs impact APIs that are consumed by the applicationset controller, AFAIK.