chore: add security section to generated release notes

Signed-off-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>

.github/ISSUE_TEMPLATE/release.md

@@ -0,0 +1,32 @@
+---
+name: Argo CD Release
+about: Used by our Release Champion to track progress of a minor release
+title: 'Argo CD Release vX.X'
+labels: 'release'
+assignees: ''
+---
+
+Target RC1 date: ___. __, ____
+Target GA date: ___. __, ____
+
+ - [ ] Create new section in the [Release Planning doc](https://docs.google.com/document/d/1trJIomcgXcfvLw0aYnERrFWfPjQOfYMDJOCh1S8nMBc/edit?usp=sharing)
+ - [ ] Schedule a Release Planning meeting roughly two weeks before the scheduled Release freeze date by adding it to the community calendar (or delegate this task to someone with write access to the community calendar)
+     - [ ] Include Zoom link in the invite
+ - [ ] Post in #argo-cd and #argo-contributors one week before the meeting
+ - [ ] Post again one hour before the meeting
+ - [ ] At the meeting, remove issues/PRs from the project's column for that release which have not been “claimed” by at least one Approver (add it to the next column if Approver requests that)
+ - [ ] 1wk before feature freeze post in #argo-contributors that PRs must be merged by DD-MM-YYYY to be included in the release - ask approvers to drop items from milestone they can’t merge
+ - [ ] At least two days before RC1 date, draft RC blog post and submit it for review (or delegate this task)
+ - [ ] Cut RC1 (or delegate this task to an Approver and coordinate timing)
+ - [ ] Create new release branch
+    - [ ] Add the release branch to ReadTheDocs
+    - [ ] Confirm that tweet and blog post are ready
+    - [ ] Trigger the release
+    - [ ] After the release is finished, publish tweet and blog post
+    - [ ] Post in #argo-cd and #argo-announcements with lots of emojis announcing the release and requesting help testing
+ - [ ] Monitor support channels for issues, cherry-picking bugfixes and docs fixes as appropriate (or delegate this task to an Approver and coordinate timing)
+ - [ ] At release date, evaluate if any bugs justify delaying the release. If not, cut the release (or delegate this task to an Approver and coordinate timing)
+ - [ ] If unreleased changes are on the release branch for {current minor version minus 3}, cut a final patch release for that series (or delegate this task to an Approver and coordinate timing)
+ - [ ] After the release, post in #argo-cd that the {current minor version minus 3} has reached EOL (example: https://cloud-native.slack.com/archives/C01TSERG0KZ/p1667336234059729)
+ - [ ] (For the next release champion) Review the [items scheduled for the next release](https://github.com/orgs/argoproj/projects/25). If any item does not have an assignee who can commit to finish the feature, move it to the next release.
+ - [ ] (For the next release champion) Schedule a time mid-way through the release cycle to review items again.

.github/workflows/ci-build.yaml

@@ -27,9 +27,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Golang
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Download all Go modules
@@ -45,13 +45,13 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Golang
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Restore go build cache
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -69,9 +69,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Golang
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Run golangci-lint
@@ -92,11 +92,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -116,7 +116,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -133,12 +133,12 @@ jobs:
       - name: Run all unit tests
         run: make test-local
       - name: Generate code coverage artifacts
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: code-coverage
           path: coverage.out
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: test-results
           path: test-results/
@@ -155,11 +155,11 @@ jobs:
       - name: Create checkout directory
         run: mkdir -p ~/go/src/github.com/argoproj
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Create symlink in GOPATH
         run: ln -s $(pwd) ~/go/src/github.com/argoproj/argo-cd
       - name: Setup Golang
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Install required packages
@@ -179,7 +179,7 @@ jobs:
         run: |
           echo "/usr/local/bin" >> $GITHUB_PATH
       - name: Restore go build cache
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -196,7 +196,7 @@ jobs:
       - name: Run all unit tests
         run: make test-race-local
       - name: Generate test results artifacts
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: race-results
           path: test-results/
@@ -206,9 +206,9 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Golang
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: Create symlink in GOPATH
@@ -250,14 +250,14 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup NodeJS
-        uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516 # v3.5.1
+        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
         with:
           node-version: '12.18.4'
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -287,12 +287,12 @@ jobs:
       sonar_secret: ${{ secrets.SONAR_TOKEN }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           fetch-depth: 0
       - name: Restore node dependency cache
         id: cache-dependencies
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
         with:
           path: ui/node_modules
           key: ${{ runner.os }}-node-dep-v2-${{ hashFiles('**/yarn.lock') }}
@@ -303,11 +303,11 @@ jobs:
         run: |
           mkdir -p test-results
       - name: Get code coverage artifiact
-        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: code-coverage
       - name: Get test result artifact
-        uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
         with:
           name: test-results
           path: test-results
@@ -348,7 +348,7 @@ jobs:
     runs-on: ubuntu-22.04
     strategy:
       matrix:
-        k3s-version: [v1.24.3, v1.23.3, v1.22.6]
+        k3s-version: [v1.26.0, v1.25.4, v1.24.3, v1.23.3]
     needs: 
       - build-go
     env:
@@ -366,22 +366,14 @@ jobs:
       GITLAB_TOKEN: ${{ secrets.E2E_TEST_GITLAB_TOKEN }}  
     steps:
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       - name: Setup Golang
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
       - name: GH actions workaround - Kill XSP4 process
         run: |
           sudo pkill mono || true
-      # ubuntu-22.04 comes with kubectl, but the version is not pinned. The version as of 2022-12-05 is 1.26.0 which
-      # breaks the `TestNamespacedResourceDiffing` e2e test. So we'll pin to 1.25 and then fix the underlying issue.
-      - name: Install kubectl
-        run: |
-          rm /usr/local/bin/kubectl
-          curl -LO https://dl.k8s.io/release/v1.25.4/bin/linux/amd64/kubectl
-          mv kubectl /usr/local/bin/kubectl
-          chmod +x /usr/local/bin/kubectl
       - name: Install K3S
         env:
           INSTALL_K3S_VERSION: ${{ matrix.k3s-version }}+k3s1
@@ -394,7 +386,7 @@ jobs:
           sudo chown runner $HOME/.kube/config
           kubectl version
       - name: Restore go build cache
-        uses: actions/cache@9b0c1fce7a93df8e3bb8926b0d6e9d89e92f20a7 # v3.0.11
+        uses: actions/cache@627f0f41f6904a5b1efbaed9f96d9eb58e92e920 # v3.2.4
         with:
           path: ~/.cache/go-build
           key: ${{ runner.os }}-go-build-v1-${{ github.run_id }}
@@ -422,7 +414,7 @@ jobs:
         run: |
           docker pull ghcr.io/dexidp/dex:v2.35.3
           docker pull argoproj/argo-cd-ci-builder:v1.0.0
-          docker pull redis:7.0.5-alpine
+          docker pull redis:7.0.7-alpine
       - name: Create target directory for binaries in the build-process
         run: |
           mkdir -p dist
@@ -450,7 +442,7 @@ jobs:
           set -x
           make test-e2e-local
       - name: Upload e2e-server logs
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
+        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
           name: e2e-server-k8s${{ matrix.k3s-version }}.log
           path: /tmp/e2e-server.log

.github/workflows/codeql.yml

@@ -29,7 +29,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+      uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
       
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/image.yaml

@@ -29,10 +29,10 @@ jobs:
     env:
       GOPATH: /home/runner/work/argo-cd/argo-cd
     steps:
-      - uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
-      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           path: src/github.com/argoproj/argo-cd
 
@@ -54,7 +54,7 @@ jobs:
 
       # build
       - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
+      - uses: docker/setup-buildx-action@15c905b16b06416d2086efa066dd8e3a35cc7f98 # v2.4.0
       - run: |
           IMAGE_PLATFORMS=linux/amd64
           if [[ "${{ github.event_name }}" == "push" || "${{ contains(github.event.pull_request.labels.*.name, 'test-arm-image') }}" == "true" ]]
@@ -62,7 +62,7 @@ jobs:
             IMAGE_PLATFORMS=linux/amd64,linux/arm64,linux/s390x,linux/ppc64le
           fi
           echo "Building image for platforms: $IMAGE_PLATFORMS"
-          docker buildx build --platform $IMAGE_PLATFORMS --push="${{ github.event_name == 'push' }}" \
+          docker buildx build --platform $IMAGE_PLATFORMS --sbom=false --provenance=false --push="${{ github.event_name == 'push' }}" \
             -t ghcr.io/argoproj/argo-cd/argocd:${{ steps.image.outputs.tag }} \
             -t quay.io/argoproj/argocd:latest .
         working-directory: ./src/github.com/argoproj/argo-cd
@@ -71,11 +71,18 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
         with:
-          cosign-release: 'v1.13.0'
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
+
+      - name: Get digest of image
+        run: |
+          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:latest)" >> $GITHUB_ENV
 
       - name: Sign Argo CD latest image
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd:latest
+          cosign sign --key env://COSIGN_PRIVATE_KEY quay.io/argoproj/argocd@${{ env.IMAGE_DIGEST }}
           # Displays the public key to share.
           cosign public-key --key env://COSIGN_PRIVATE_KEY
         env:

.github/workflows/pr-title-check.yml

@@ -0,0 +1,41 @@
+name: "Lint PR"
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+# IMPORTANT: No checkout actions, scripts, or builds should be added to this workflow. Permissions should always be used
+# with extreme caution.
+permissions:
+  contents: read
+
+# PR updates can happen in quick succession leading to this
+# workflow being trigger a number of times. This limits it
+# to one run per PR.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  main:
+    permissions:
+      pull-requests: read  # for amannn/action-semantic-pull-request to analyze PRs
+      statuses: write  # for amannn/action-semantic-pull-request to mark status of analyzed PR
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      # IMPORTANT: Carefully review changes when updating this action. Using the pull_request_target event requires caution.
+      - uses: amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb # v5.0.2
+        with:
+          types: |
+            feat
+            fix
+            docs
+            test
+            ci
+            chore
+            [Bot] docs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yaml

@@ -12,7 +12,7 @@ on:
       - "!release-v0*"
 
 env:
-    GOLANG_VERSION: '1.18'
+  GOLANG_VERSION: '1.18'
 
 permissions:
   contents: read
@@ -43,7 +43,7 @@ jobs:
       GIT_EMAIL: argoproj@gmail.com
     steps:
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
@@ -147,7 +147,7 @@ jobs:
           echo "RELEASE_NOTES=${RELEASE_NOTES}" >> $GITHUB_ENV
 
       - name: Setup Golang
-        uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.4.0
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOLANG_VERSION }}
 
@@ -201,13 +201,13 @@ jobs:
         if: ${{ env.DRY_RUN != 'true' }}
 
       - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
-      - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
+      - uses: docker/setup-buildx-action@15c905b16b06416d2086efa066dd8e3a35cc7f98 # v2.4.0
       - name: Build and push Docker image for release
         run: |
           set -ue
           git clean -fd
           mkdir -p dist/
-          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
+          docker buildx build --platform linux/amd64,linux/arm64,linux/s390x,linux/ppc64le --sbom=false --provenance=false --push -t ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION} -t argoproj/argocd:v${TARGET_VERSION} .
           make release-cli
           make checksums
           chmod +x ./dist/argocd-linux-amd64
@@ -217,11 +217,18 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
         with:
-          cosign-release: 'v1.13.0'
+          cosign-release: 'v1.13.1'
+
+      - name: Install crane to get digest of image
+        uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4
+
+      - name: Get digest of image
+        run: |
+          echo "IMAGE_DIGEST=$(crane digest quay.io/argoproj/argocd:v${TARGET_VERSION})" >> $GITHUB_ENV
 
       - name: Sign Argo CD container images and assets
         run: |
-          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd:v${TARGET_VERSION}
+          cosign sign --key env://COSIGN_PRIVATE_KEY ${IMAGE_NAMESPACE}/argocd@${{ env.IMAGE_DIGEST }}
           cosign sign-blob --key env://COSIGN_PRIVATE_KEY ./dist/argocd-${TARGET_VERSION}-checksums.txt > ./dist/argocd-${TARGET_VERSION}-checksums.sig
           # Retrieves the public key to release as an asset
           cosign public-key --key env://COSIGN_PRIVATE_KEY > ./dist/argocd-cosign.pub
@@ -264,7 +271,7 @@ jobs:
           SIGS_BOM_VERSION: v0.2.1
           # comma delimited list of project relative folders to inspect for package
           # managers (gomod, yarn, npm).
-          PROJECT_FOLDERS: ".,./ui" 
+          PROJECT_FOLDERS: ".,./ui"
           # full qualified name of the docker image to be inspected
           DOCKER_IMAGE: ${{env.IMAGE_NAMESPACE}}/argocd:v${{env.TARGET_VERSION}}
         run: |

.github/workflows/update-snyk.yaml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Build reports
@@ -31,6 +31,6 @@ jobs:
           git config --global user.email 'ci@argoproj.com'
           git config --global user.name 'CI'
           git add docs/snyk
-          git commit -m "[Bot] Update Snyk reports" --signoff
+          git commit -m "[Bot] docs: Update Snyk reports" --signoff
           git push --set-upstream origin "$pr_branch"
           gh pr create -B master -H "$pr_branch" --title '[Bot] docs: Update Snyk report' --body ''

Dockerfile

@@ -36,6 +36,8 @@ RUN ./install.sh helm-linux && \
 ####################################################################################################
 FROM $BASE_IMAGE AS argocd-base
 
+LABEL org.opencontainers.image.source="https://github.com/argoproj/argo-cd"
+
 USER root
 
 ENV ARGOCD_USER_ID=999

Makefile

@@ -64,13 +64,20 @@ else
 DOCKER_SRC_MOUNT="$(PWD):/go/src/github.com/argoproj/argo-cd$(VOLUME_MOUNT)"
 endif
 
+# User and group IDs to map to the test container
+CONTAINER_UID=$(shell id -u)
+CONTAINER_GID=$(shell id -g)
+
+# Set SUDO to sudo to run privileged commands with sudo
+SUDO?=
+
 # Runs any command in the argocd-test-utils container in server mode
 # Server mode container will start with uid 0 and drop privileges during runtime
 define run-in-test-server
-	docker run --rm -it \
+	$(SUDO) docker run --rm -it \
 		--name argocd-test-server \
-		-u $(shell id -u):$(shell id -g) \
-		-e USER_ID=$(shell id -u) \
+		-u $(CONTAINER_UID):$(CONTAINER_GID) \
+		-e USER_ID=$(CONTAINER_UID) \
 		-e HOME=/home/user \
 		-e GOPATH=/go \
 		-e GOCACHE=/tmp/go-build-cache \
@@ -98,9 +105,9 @@ endef
 
 # Runs any command in the argocd-test-utils container in client mode
 define run-in-test-client
-	docker run --rm -it \
+	$(SUDO) docker run --rm -it \
 	  --name argocd-test-client \
-		-u $(shell id -u):$(shell id -g) \
+		-u $(CONTAINER_UID):$(CONTAINER_GID) \
 		-e HOME=/home/user \
 		-e GOPATH=/go \
 		-e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) \
@@ -119,7 +126,7 @@ endef
 
 #
 define exec-in-test-server
-	docker exec -it -u $(shell id -u):$(shell id -g) -e ARGOCD_E2E_RECORD=$(ARGOCD_E2E_RECORD) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
+	$(SUDO) docker exec -it -u $(CONTAINER_UID):$(CONTAINER_GID) -e ARGOCD_E2E_RECORD=$(ARGOCD_E2E_RECORD) -e ARGOCD_E2E_K3S=$(ARGOCD_E2E_K3S) argocd-test-server $(1)
 endef
 
 PATH:=$(PATH):$(PWD)/hack
@@ -244,8 +251,8 @@ release-cli: clean-debug build-ui
 .PHONY: test-tools-image
 test-tools-image:
 ifndef SKIP_TEST_TOOLS_IMAGE
-	docker build --build-arg UID=$(shell id -u) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
-	docker tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
+	$(SUDO) docker build --build-arg UID=$(CONTAINER_UID) -t $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) -f test/container/Dockerfile .
+	$(SUDO) docker tag $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE) $(TEST_TOOLS_PREFIX)$(TEST_TOOLS_IMAGE):$(TEST_TOOLS_TAG)
 endif
 
 .PHONY: manifests-local
@@ -326,7 +333,7 @@ mod-vendor: test-tools-image
 mod-vendor-local: mod-download-local
 	go mod vendor
 
-# Deprecated - replace by install-local-tools
+# Deprecated - replace by install-tools-local
 .PHONY: install-lint-tools
 install-lint-tools:
 	./hack/install.sh lint-tools

README.md

@@ -1,6 +1,17 @@
-[![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22) [![slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack) [![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd) [![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486) [![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
+**Releases:**
+[![Release Version](https://img.shields.io/github/v/release/argoproj/argo-cd?label=argo-cd)](https://github.com/argoproj/argo-cd/releases/latest)
 [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/argo-cd)](https://artifacthub.io/packages/helm/argo/argo-cd)
 
+**Code:** 
+[![Integration tests](https://github.com/argoproj/argo-cd/workflows/Integration%20tests/badge.svg?branch=master)](https://github.com/argoproj/argo-cd/actions?query=workflow%3A%22Integration+tests%22)
+[![codecov](https://codecov.io/gh/argoproj/argo-cd/branch/master/graph/badge.svg)](https://codecov.io/gh/argoproj/argo-cd)
+[![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/4486/badge)](https://bestpractices.coreinfrastructure.org/projects/4486)
+[![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd.svg?type=shield)](https://app.fossa.com/projects/git%2Bgithub.com%2Fargoproj%2Fargo-cd?ref=badge_shield)
+
+**Social:**
+[![Twitter Follow](https://img.shields.io/twitter/follow/argoproj?style=social)](https://twitter.com/argoproj)
+[![Slack](https://img.shields.io/badge/slack-argoproj-brightgreen.svg?logo=slack)](https://argoproj.github.io/community/join-slack)
+
 # Argo CD - Declarative Continuous Delivery for Kubernetes
 
 ## What is Argo CD?

SECURITY_CONTACTS

@@ -1,7 +1,7 @@
 # Defined below are the security contacts for this repo.
 #
 # DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
-# INSTRUCTIONS AT https://argo-cd.readthedocs.io/en/latest/security_considerations/#reporting-vulnerabilities
+# INSTRUCTIONS AT https://github.com/argoproj/argo-cd/security/policy
 
 alexmt
 edlee2121

USERS.md

@@ -31,6 +31,7 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [BigPanda](https://bigpanda.io)
 1. [BioBox Analytics](https://biobox.io)
 1. [BMW Group](https://www.bmwgroup.com/)
+1. [PT Boer Technology (Btech)](https://btech.id/)
 1. [Boozt](https://www.booztgroup.com/)
 1. [Boticario](https://www.boticario.com.br/)
 1. [Bulder Bank](https://bulderbank.no)
@@ -157,11 +158,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [OCCMundial](https://occ.com.mx)
 1. [Octadesk](https://octadesk.com)
 1. [omegaUp](https://omegaUp.com)
+1. [Omni](https://omni.se/)
 1. [openEuler](https://openeuler.org)
 1. [openGauss](https://opengauss.org/)
 1. [openLooKeng](https://openlookeng.io)
 1. [OpenSaaS Studio](https://opensaas.studio)
 1. [Opensurvey](https://www.opensurvey.co.kr/)
+1. [OpsMx](https://opsmx.io)
 1. [OpsVerse](https://opsverse.io)
 1. [Optoro](https://www.optoro.com/)
 1. [Orbital Insight](https://orbitalinsight.com/)
@@ -169,11 +172,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Packlink](https://www.packlink.com/)
 1. [Pandosearch](https://www.pandosearch.com/en/home)
 1. [PagerDuty](https://www.pagerduty.com/)
+1. [Patreon](https://www.patreon.com/)
 1. [PayPay](https://paypay.ne.jp/)
 1. [Peloton Interactive](https://www.onepeloton.com/)
 1. [Pigment](https://www.gopigment.com/)
 1. [Pipefy](https://www.pipefy.com/)
 1. [Pismo](https://pismo.io/)
+1. [Platform9 Systems](https://platform9.com/)
 1. [Polarpoint.io](https://polarpoint.io)
 1. [PostFinance](https://github.com/postfinance)
 1. [Preferred Networks](https://preferred.jp/en/)
@@ -195,11 +200,13 @@ Currently, the following organizations are **officially** using Argo CD:
 1. [Saildrone](https://www.saildrone.com/)
 1. [Saloodo! GmbH](https://www.saloodo.com)
 1. [Sap Labs](http://sap.com)
+1. [Sauce Labs](https://saucelabs.com/)
 1. [Schwarz IT](https://jobs.schwarz/it-mission)
 1. [SI Analytics](https://si-analytics.ai)
 1. [Skit](https://skit.ai/)
 1. [Skyscanner](https://www.skyscanner.net/)
 1. [Smilee.io](https://smilee.io)
+1. [Smood.ch](https://www.smood.ch/)
 1. [Snapp](https://snapp.ir/)
 1. [Snyk](https://snyk.io/)
 1. [Softway Medical](https://www.softwaymedical.fr/)

applicationset/controllers/applicationset_controller.go

@@ -71,7 +71,7 @@ type ApplicationSetReconciler struct {
 	utils.Policy
 	utils.Renderer
 
-	EnableProgressiveRollouts bool
+	EnableProgressiveSyncs bool
 }
 
 // +kubebuilder:rbac:groups=argoproj.io,resources=applicationsets,verbs=get;list;watch;create;update;patch;delete
@@ -142,7 +142,7 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 	// appSyncMap tracks which apps will be synced during this reconciliation.
 	appSyncMap := map[string]bool{}
 
-	if r.EnableProgressiveRollouts && applicationSetInfo.Spec.Strategy != nil {
+	if r.EnableProgressiveSyncs && applicationSetInfo.Spec.Strategy != nil {
 		applications, err := r.getCurrentApplications(ctx, applicationSetInfo)
 		if err != nil {
 			return ctrl.Result{}, fmt.Errorf("failed to get current applications for application set: %w", err)
@@ -152,9 +152,9 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 			appMap[app.Name] = app
 		}
 
-		appSyncMap, err = r.performProgressiveRollouts(ctx, applicationSetInfo, applications, desiredApplications, appMap)
+		appSyncMap, err = r.performProgressiveSyncs(ctx, applicationSetInfo, applications, desiredApplications, appMap)
 		if err != nil {
-			return ctrl.Result{}, fmt.Errorf("failed to perform progressive rollouts reconciliation for application set: %w", err)
+			return ctrl.Result{}, fmt.Errorf("failed to perform progressive sync reconciliation for application set: %w", err)
 		}
 	}
 
@@ -186,9 +186,9 @@ func (r *ApplicationSetReconciler) Reconcile(ctx context.Context, req ctrl.Reque
 		)
 	}
 
-	if r.EnableProgressiveRollouts {
+	if r.EnableProgressiveSyncs {
 		// trigger appropriate application syncs if RollingSync strategy is enabled
-		if progressiveRolloutStrategyEnabled(&applicationSetInfo, "RollingSync") {
+		if progressiveSyncsStrategyEnabled(&applicationSetInfo, "RollingSync") {
 			validApps, err = r.syncValidApplications(ctx, &applicationSetInfo, appSyncMap, appMap, validApps)
 
 			if err != nil {
@@ -775,24 +775,29 @@ func (r *ApplicationSetReconciler) removeFinalizerOnInvalidDestination(ctx conte
 	return nil
 }
 
-func (r *ApplicationSetReconciler) performProgressiveRollouts(ctx context.Context, appset argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application, appMap map[string]argov1alpha1.Application) (map[string]bool, error) {
-
-	_, err := r.updateApplicationSetApplicationStatus(ctx, &appset, applications)
-	if err != nil {
-		return nil, fmt.Errorf("failed to update applicationset app status: %w", err)
-	}
+func (r *ApplicationSetReconciler) performProgressiveSyncs(ctx context.Context, appset argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, desiredApplications []argov1alpha1.Application, appMap map[string]argov1alpha1.Application) (map[string]bool, error) {
 
 	appDependencyList, appStepMap, err := r.buildAppDependencyList(ctx, appset, desiredApplications)
 	if err != nil {
 		return nil, fmt.Errorf("failed to build app dependency list: %w", err)
 	}
 
+	_, err = r.updateApplicationSetApplicationStatus(ctx, &appset, applications, appStepMap)
+	if err != nil {
+		return nil, fmt.Errorf("failed to update applicationset app status: %w", err)
+	}
+
+	log.Infof("ApplicationSet %v step list:", appset.Name)
+	for i, step := range appDependencyList {
+		log.Infof("step %v: %+v", i+1, step)
+	}
+
 	appSyncMap, err := r.buildAppSyncMap(ctx, appset, appDependencyList, appMap)
 	if err != nil {
 		return nil, fmt.Errorf("failed to build app sync map: %w", err)
 	}
 
-	log.Infof("appSyncMap: %+v", appSyncMap)
+	log.Infof("Application allowed to sync before maxUpdate?: %+v", appSyncMap)
 
 	_, err = r.updateApplicationSetApplicationStatusProgress(ctx, &appset, appSyncMap, appStepMap, appMap)
 	if err != nil {
@@ -815,7 +820,7 @@ func (r *ApplicationSetReconciler) buildAppDependencyList(ctx context.Context, a
 	}
 
 	steps := []argov1alpha1.ApplicationSetRolloutStep{}
-	if progressiveRolloutStrategyEnabled(&applicationSet, "RollingSync") {
+	if progressiveSyncsStrategyEnabled(&applicationSet, "RollingSync") {
 		steps = applicationSet.Spec.Strategy.RollingSync.Steps
 	}
 
@@ -941,7 +946,7 @@ func (r *ApplicationSetReconciler) buildAppSyncMap(ctx context.Context, applicat
 
 func appSyncEnabledForNextStep(appset *argov1alpha1.ApplicationSet, app argov1alpha1.Application, appStatus argov1alpha1.ApplicationSetApplicationStatus) bool {
 
-	if progressiveRolloutStrategyEnabled(appset, "RollingSync") {
+	if progressiveSyncsStrategyEnabled(appset, "RollingSync") {
 		// we still need to complete the current step if the Application is not yet Healthy or there are still pending Application changes
 		return isApplicationHealthy(app) && appStatus.Status == "Healthy"
 	}
@@ -949,7 +954,7 @@ func appSyncEnabledForNextStep(appset *argov1alpha1.ApplicationSet, app argov1al
 	return true
 }
 
-func progressiveRolloutStrategyEnabled(appset *argov1alpha1.ApplicationSet, strategyType string) bool {
+func progressiveSyncsStrategyEnabled(appset *argov1alpha1.ApplicationSet, strategyType string) bool {
 	if appset.Spec.Strategy == nil || appset.Spec.Strategy.Type != strategyType {
 		return false
 	}
@@ -982,7 +987,7 @@ func statusStrings(app argov1alpha1.Application) (string, string, string) {
 }
 
 // check the status of each Application's status and promote Applications to the next status if needed
-func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx context.Context, applicationSet *argov1alpha1.ApplicationSet, applications []argov1alpha1.Application) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
+func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx context.Context, applicationSet *argov1alpha1.ApplicationSet, applications []argov1alpha1.Application, appStepMap map[string]int) ([]argov1alpha1.ApplicationSetApplicationStatus, error) {
 
 	now := metav1.Now()
 	appStatuses := make([]argov1alpha1.ApplicationSetApplicationStatus, 0, len(applications))
@@ -993,22 +998,24 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 
 		idx := findApplicationStatusIndex(applicationSet.Status.ApplicationStatus, app.Name)
 
+		currentAppStatus := argov1alpha1.ApplicationSetApplicationStatus{}
+
 		if idx == -1 {
 			// AppStatus not found, set default status of "Waiting"
-			appStatuses = append(appStatuses, argov1alpha1.ApplicationSetApplicationStatus{
+			currentAppStatus = argov1alpha1.ApplicationSetApplicationStatus{
 				Application:        app.Name,
 				LastTransitionTime: &now,
 				Message:            "No Application status found, defaulting status to Waiting.",
 				Status:             "Waiting",
-			})
-			break
+				Step:               fmt.Sprint(appStepMap[app.Name] + 1),
+			}
+		} else {
+			// we have an existing AppStatus
+			currentAppStatus = applicationSet.Status.ApplicationStatus[idx]
 		}
 
-		// we have an existing AppStatus
-		currentAppStatus := applicationSet.Status.ApplicationStatus[idx]
-
 		appOutdated := false
-		if progressiveRolloutStrategyEnabled(applicationSet, "RollingSync") {
+		if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
 			appOutdated = syncStatusString == "OutOfSync"
 		}
 
@@ -1017,14 +1024,22 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 			currentAppStatus.LastTransitionTime = &now
 			currentAppStatus.Status = "Waiting"
 			currentAppStatus.Message = "Application has pending changes, setting status to Waiting."
+			currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
 		}
 
 		if currentAppStatus.Status == "Pending" {
-			if healthStatusString == "Progressing" || operationPhaseString == "Running" {
+			if operationPhaseString == "Succeeded" && app.Status.OperationState.StartedAt.After(currentAppStatus.LastTransitionTime.Time) {
+				log.Infof("Application %v has completed a sync successfully, updating its ApplicationSet status to Progressing", app.Name)
+				currentAppStatus.LastTransitionTime = &now
+				currentAppStatus.Status = "Progressing"
+				currentAppStatus.Message = "Application resource completed a sync successfully, updating status from Pending to Progressing."
+				currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
+			} else if operationPhaseString == "Running" || healthStatusString == "Progressing" {
 				log.Infof("Application %v has entered Progressing status, updating its ApplicationSet status to Progressing", app.Name)
 				currentAppStatus.LastTransitionTime = &now
 				currentAppStatus.Status = "Progressing"
 				currentAppStatus.Message = "Application resource became Progressing, updating status from Pending to Progressing."
+				currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
 			}
 		}
 
@@ -1033,6 +1048,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 			currentAppStatus.LastTransitionTime = &now
 			currentAppStatus.Status = healthStatusString
 			currentAppStatus.Message = "Application resource is already Healthy, updating status from Waiting to Healthy."
+			currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
 		}
 
 		if currentAppStatus.Status == "Progressing" && isApplicationHealthy(app) {
@@ -1040,6 +1056,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatus(ctx con
 			currentAppStatus.LastTransitionTime = &now
 			currentAppStatus.Status = healthStatusString
 			currentAppStatus.Message = "Application resource became Healthy, updating status from Progressing to Healthy."
+			currentAppStatus.Step = fmt.Sprint(appStepMap[currentAppStatus.Application] + 1)
 		}
 
 		appStatuses = append(appStatuses, currentAppStatus)
@@ -1065,7 +1082,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 		totalCountMap := []int{}
 
 		length := 0
-		if progressiveRolloutStrategyEnabled(applicationSet, "RollingSync") {
+		if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
 			length = len(applicationSet.Spec.Strategy.RollingSync.Steps)
 		}
 		for s := 0; s < length; s++ {
@@ -1077,7 +1094,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 		for _, appStatus := range applicationSet.Status.ApplicationStatus {
 			totalCountMap[appStepMap[appStatus.Application]] += 1
 
-			if progressiveRolloutStrategyEnabled(applicationSet, "RollingSync") {
+			if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
 				if appStatus.Status == "Pending" || appStatus.Status == "Progressing" {
 					updateCountMap[appStepMap[appStatus.Application]] += 1
 				}
@@ -1088,7 +1105,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 
 			maxUpdateAllowed := true
 			maxUpdate := &intstr.IntOrString{}
-			if progressiveRolloutStrategyEnabled(applicationSet, "RollingSync") {
+			if progressiveSyncsStrategyEnabled(applicationSet, "RollingSync") {
 				maxUpdate = applicationSet.Spec.Strategy.RollingSync.Steps[appStepMap[appStatus.Application]].MaxUpdate
 			}
 
@@ -1116,6 +1133,7 @@ func (r *ApplicationSetReconciler) updateApplicationSetApplicationStatusProgress
 				appStatus.LastTransitionTime = &now
 				appStatus.Status = "Pending"
 				appStatus.Message = "Application moved to Pending status, watching for the Application resource to start Progressing."
+				appStatus.Step = fmt.Sprint(appStepMap[appStatus.Application] + 1)
 
 				updateCountMap[appStepMap[appStatus.Application]] += 1
 			}
@@ -1263,7 +1281,7 @@ func (r *ApplicationSetReconciler) syncValidApplications(ctx context.Context, ap
 	return rolloutApps, nil
 }
 
-// used by the RollingSync Progressive Rollout strategy to trigger a sync of a particular Application resource
+// used by the RollingSync Progressive Sync strategy to trigger a sync of a particular Application resource
 func syncApplication(application argov1alpha1.Application, prune bool) (argov1alpha1.Application, error) {
 
 	operation := argov1alpha1.Operation{

applicationset/controllers/applicationset_controller_test.go

@@ -3548,6 +3548,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 		name              string
 		appSet            argov1alpha1.ApplicationSet
 		apps              []argov1alpha1.Application
+		appStepMap        map[string]int
 		expectedAppStatus []argov1alpha1.ApplicationSetApplicationStatus
 	}{
 		{
@@ -3602,8 +3603,9 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 			expectedAppStatus: []argov1alpha1.ApplicationSetApplicationStatus{
 				{
 					Application: "app1",
-					Message:     "No Application status found, defaulting status to Waiting.",
-					Status:      "Waiting",
+					Message:     "Application resource is already Healthy, updating status from Waiting to Healthy.",
+					Status:      "Healthy",
+					Step:        "1",
 				},
 			},
 		},
@@ -3643,8 +3645,9 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 			expectedAppStatus: []argov1alpha1.ApplicationSetApplicationStatus{
 				{
 					Application: "app1",
-					Message:     "No Application status found, defaulting status to Waiting.",
-					Status:      "Waiting",
+					Message:     "Application resource is already Healthy, updating status from Waiting to Healthy.",
+					Status:      "Healthy",
+					Step:        "1",
 				},
 			},
 		},
@@ -3667,6 +3670,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 							Application: "app1",
 							Message:     "",
 							Status:      "Healthy",
+							Step:        "1",
 						},
 					},
 				},
@@ -3688,6 +3692,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 					Application: "app1",
 					Message:     "Application has pending changes, setting status to Waiting.",
 					Status:      "Waiting",
+					Step:        "1",
 				},
 			},
 		},
@@ -3710,6 +3715,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 							Application: "app1",
 							Message:     "",
 							Status:      "Pending",
+							Step:        "1",
 						},
 					},
 				},
@@ -3731,6 +3737,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 					Application: "app1",
 					Message:     "Application resource became Progressing, updating status from Pending to Progressing.",
 					Status:      "Progressing",
+					Step:        "1",
 				},
 			},
 		},
@@ -3753,6 +3760,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 							Application: "app1",
 							Message:     "",
 							Status:      "Pending",
+							Step:        "1",
 						},
 					},
 				},
@@ -3780,6 +3788,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 					Application: "app1",
 					Message:     "Application resource became Progressing, updating status from Pending to Progressing.",
 					Status:      "Progressing",
+					Step:        "1",
 				},
 			},
 		},
@@ -3802,6 +3811,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 							Application: "app1",
 							Message:     "",
 							Status:      "Progressing",
+							Step:        "1",
 						},
 					},
 				},
@@ -3829,6 +3839,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 					Application: "app1",
 					Message:     "Application resource became Healthy, updating status from Progressing to Healthy.",
 					Status:      "Healthy",
+					Step:        "1",
 				},
 			},
 		},
@@ -3851,6 +3862,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 							Application: "app1",
 							Message:     "",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 					},
 				},
@@ -3878,6 +3890,166 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 					Application: "app1",
 					Message:     "Application resource is already Healthy, updating status from Waiting to Healthy.",
 					Status:      "Healthy",
+					Step:        "1",
+				},
+			},
+		},
+		{
+			name: "progresses a new outofsync application in a later step to waiting",
+			appSet: argov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "name",
+					Namespace: "argocd",
+				},
+				Spec: argov1alpha1.ApplicationSetSpec{
+					Strategy: &argov1alpha1.ApplicationSetStrategy{
+						Type:        "RollingSync",
+						RollingSync: &argov1alpha1.ApplicationSetRolloutStrategy{},
+					},
+				},
+			},
+			apps: []argov1alpha1.Application{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "app1",
+					},
+					Status: argov1alpha1.ApplicationStatus{
+						Health: argov1alpha1.HealthStatus{
+							Status: health.HealthStatusHealthy,
+						},
+						OperationState: &argov1alpha1.OperationState{
+							Phase: common.OperationSucceeded,
+						},
+						Sync: argov1alpha1.SyncStatus{
+							Status: argov1alpha1.SyncStatusCodeOutOfSync,
+						},
+					},
+				},
+			},
+			appStepMap: map[string]int{
+				"app1": 1,
+				"app2": 0,
+			},
+			expectedAppStatus: []argov1alpha1.ApplicationSetApplicationStatus{
+				{
+					Application: "app1",
+					Message:     "No Application status found, defaulting status to Waiting.",
+					Status:      "Waiting",
+					Step:        "2",
+				},
+			},
+		},
+		{
+			name: "progresses a pending application with a successful sync to progressing",
+			appSet: argov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "name",
+					Namespace: "argocd",
+				},
+				Spec: argov1alpha1.ApplicationSetSpec{
+					Strategy: &argov1alpha1.ApplicationSetStrategy{
+						Type:        "RollingSync",
+						RollingSync: &argov1alpha1.ApplicationSetRolloutStrategy{},
+					},
+				},
+				Status: argov1alpha1.ApplicationSetStatus{
+					ApplicationStatus: []argov1alpha1.ApplicationSetApplicationStatus{
+						{
+							Application: "app1",
+							LastTransitionTime: &metav1.Time{
+								Time: time.Now().Add(time.Duration(-1) * time.Minute),
+							},
+							Message: "",
+							Status:  "Pending",
+							Step:    "1",
+						},
+					},
+				},
+			},
+			apps: []argov1alpha1.Application{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "app1",
+					},
+					Status: argov1alpha1.ApplicationStatus{
+						Health: argov1alpha1.HealthStatus{
+							Status: health.HealthStatusDegraded,
+						},
+						OperationState: &argov1alpha1.OperationState{
+							Phase: common.OperationSucceeded,
+							StartedAt: metav1.Time{
+								Time: time.Now(),
+							},
+						},
+						Sync: argov1alpha1.SyncStatus{
+							Status: argov1alpha1.SyncStatusCodeSynced,
+						},
+					},
+				},
+			},
+			expectedAppStatus: []argov1alpha1.ApplicationSetApplicationStatus{
+				{
+					Application: "app1",
+					Message:     "Application resource completed a sync successfully, updating status from Pending to Progressing.",
+					Status:      "Progressing",
+					Step:        "1",
+				},
+			},
+		},
+		{
+			name: "does not progresses a pending application with an old successful sync to progressing",
+			appSet: argov1alpha1.ApplicationSet{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "name",
+					Namespace: "argocd",
+				},
+				Spec: argov1alpha1.ApplicationSetSpec{
+					Strategy: &argov1alpha1.ApplicationSetStrategy{
+						Type:        "RollingSync",
+						RollingSync: &argov1alpha1.ApplicationSetRolloutStrategy{},
+					},
+				},
+				Status: argov1alpha1.ApplicationSetStatus{
+					ApplicationStatus: []argov1alpha1.ApplicationSetApplicationStatus{
+						{
+							Application: "app1",
+							LastTransitionTime: &metav1.Time{
+								Time: time.Now().Add(time.Duration(-1) * time.Minute),
+							},
+							Message: "Application moved to Pending status, watching for the Application resource to start Progressing.",
+							Status:  "Pending",
+							Step:    "1",
+						},
+					},
+				},
+			},
+			apps: []argov1alpha1.Application{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name: "app1",
+					},
+					Status: argov1alpha1.ApplicationStatus{
+						Health: argov1alpha1.HealthStatus{
+							Status: health.HealthStatusDegraded,
+						},
+						OperationState: &argov1alpha1.OperationState{
+							Phase: common.OperationSucceeded,
+							StartedAt: metav1.Time{
+								Time: time.Now().Add(time.Duration(-2) * time.Minute),
+							},
+						},
+						Sync: argov1alpha1.SyncStatus{
+							Status: argov1alpha1.SyncStatusCodeSynced,
+						},
+					},
+				},
+			},
+			expectedAppStatus: []argov1alpha1.ApplicationSetApplicationStatus{
+				{
+					Application: "app1",
+					Message:     "Application moved to Pending status, watching for the Application resource to start Progressing.",
+					Status:      "Pending",
+					Step:        "1",
 				},
 			},
 		},
@@ -3901,7 +4073,7 @@ func TestUpdateApplicationSetApplicationStatus(t *testing.T) {
 				KubeClientset:    kubeclientset,
 			}
 
-			appStatuses, err := r.updateApplicationSetApplicationStatus(context.TODO(), &cc.appSet, cc.apps)
+			appStatuses, err := r.updateApplicationSetApplicationStatus(context.TODO(), &cc.appSet, cc.apps, cc.appStepMap)
 
 			// opt out of testing the LastTransitionTime is accurate
 			for i := range appStatuses {
@@ -4060,6 +4232,7 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 					LastTransitionTime: nil,
 					Message:            "Application moved to Pending status, watching for the Application resource to start Progressing.",
 					Status:             "Pending",
+					Step:               "1",
 				},
 			},
 		},
@@ -4091,6 +4264,7 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 							Application: "app1",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 					},
 				},
@@ -4107,6 +4281,7 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 					LastTransitionTime: nil,
 					Message:            "Application is out of date with the current AppSet generation, setting status to Waiting.",
 					Status:             "Waiting",
+					Step:               "1",
 				},
 			},
 		},
@@ -4138,6 +4313,7 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 							Application: "app1",
 							Message:     "Application Pending status timed out while waiting to become Progressing, reset status to Healthy.",
 							Status:      "Healthy",
+							Step:        "1",
 						},
 					},
 				},
@@ -4154,6 +4330,7 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 					LastTransitionTime: nil,
 					Message:            "Application Pending status timed out while waiting to become Progressing, reset status to Healthy.",
 					Status:             "Healthy",
+					Step:               "1",
 				},
 			},
 		},
@@ -4189,21 +4366,25 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 							Application: "app1",
 							Message:     "Application resource became Progressing, updating status from Pending to Progressing.",
 							Status:      "Progressing",
+							Step:        "1",
 						},
 						{
 							Application: "app2",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 						{
 							Application: "app3",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 						{
 							Application: "app4",
 							Message:     "Application moved to Pending status, watching for the Application resource to start Progressing.",
 							Status:      "Pending",
+							Step:        "1",
 						},
 					},
 				},
@@ -4268,24 +4449,28 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 					LastTransitionTime: nil,
 					Message:            "Application resource became Progressing, updating status from Pending to Progressing.",
 					Status:             "Progressing",
+					Step:               "1",
 				},
 				{
 					Application:        "app2",
 					LastTransitionTime: nil,
 					Message:            "Application moved to Pending status, watching for the Application resource to start Progressing.",
 					Status:             "Pending",
+					Step:               "1",
 				},
 				{
 					Application:        "app3",
 					LastTransitionTime: nil,
 					Message:            "Application is out of date with the current AppSet generation, setting status to Waiting.",
 					Status:             "Waiting",
+					Step:               "1",
 				},
 				{
 					Application:        "app4",
 					LastTransitionTime: nil,
 					Message:            "Application moved to Pending status, watching for the Application resource to start Progressing.",
 					Status:             "Pending",
+					Step:               "1",
 				},
 			},
 		},
@@ -4321,16 +4506,19 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 							Application: "app1",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 						{
 							Application: "app2",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 						{
 							Application: "app3",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 					},
 				},
@@ -4351,18 +4539,21 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 					LastTransitionTime: nil,
 					Message:            "Application moved to Pending status, watching for the Application resource to start Progressing.",
 					Status:             "Pending",
+					Step:               "1",
 				},
 				{
 					Application:        "app2",
 					LastTransitionTime: nil,
 					Message:            "Application is out of date with the current AppSet generation, setting status to Waiting.",
 					Status:             "Waiting",
+					Step:               "1",
 				},
 				{
 					Application:        "app3",
 					LastTransitionTime: nil,
 					Message:            "Application is out of date with the current AppSet generation, setting status to Waiting.",
 					Status:             "Waiting",
+					Step:               "1",
 				},
 			},
 		},
@@ -4398,16 +4589,19 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 							Application: "app1",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 						{
 							Application: "app2",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 						{
 							Application: "app3",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 					},
 				},
@@ -4428,18 +4622,21 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 					LastTransitionTime: nil,
 					Message:            "Application is out of date with the current AppSet generation, setting status to Waiting.",
 					Status:             "Waiting",
+					Step:               "1",
 				},
 				{
 					Application:        "app2",
 					LastTransitionTime: nil,
 					Message:            "Application is out of date with the current AppSet generation, setting status to Waiting.",
 					Status:             "Waiting",
+					Step:               "1",
 				},
 				{
 					Application:        "app3",
 					LastTransitionTime: nil,
 					Message:            "Application is out of date with the current AppSet generation, setting status to Waiting.",
 					Status:             "Waiting",
+					Step:               "1",
 				},
 			},
 		},
@@ -4475,16 +4672,19 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 							Application: "app1",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 						{
 							Application: "app2",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 						{
 							Application: "app3",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 					},
 				},
@@ -4505,18 +4705,21 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 					LastTransitionTime: nil,
 					Message:            "Application moved to Pending status, watching for the Application resource to start Progressing.",
 					Status:             "Pending",
+					Step:               "1",
 				},
 				{
 					Application:        "app2",
 					LastTransitionTime: nil,
 					Message:            "Application moved to Pending status, watching for the Application resource to start Progressing.",
 					Status:             "Pending",
+					Step:               "1",
 				},
 				{
 					Application:        "app3",
 					LastTransitionTime: nil,
 					Message:            "Application moved to Pending status, watching for the Application resource to start Progressing.",
 					Status:             "Pending",
+					Step:               "1",
 				},
 			},
 		},
@@ -4552,16 +4755,19 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 							Application: "app1",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 						{
 							Application: "app2",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 						{
 							Application: "app3",
 							Message:     "Application is out of date with the current AppSet generation, setting status to Waiting.",
 							Status:      "Waiting",
+							Step:        "1",
 						},
 					},
 				},
@@ -4582,18 +4788,21 @@ func TestUpdateApplicationSetApplicationStatusProgress(t *testing.T) {
 					LastTransitionTime: nil,
 					Message:            "Application moved to Pending status, watching for the Application resource to start Progressing.",
 					Status:             "Pending",
+					Step:               "1",
 				},
 				{
 					Application:        "app2",
 					LastTransitionTime: nil,
 					Message:            "Application is out of date with the current AppSet generation, setting status to Waiting.",
 					Status:             "Waiting",
+					Step:               "1",
 				},
 				{
 					Application:        "app3",
 					LastTransitionTime: nil,
 					Message:            "Application is out of date with the current AppSet generation, setting status to Waiting.",
 					Status:             "Waiting",
+					Step:               "1",
 				},
 			},
 		},

applicationset/generators/matrix.go

@@ -144,9 +144,10 @@ func (m *MatrixGenerator) GetRequeueAfter(appSetGenerator *argoprojiov1alpha1.Ap
 
 	for _, r := range appSetGenerator.Matrix.Generators {
 		base := &argoprojiov1alpha1.ApplicationSetGenerator{
-			List:     r.List,
-			Clusters: r.Clusters,
-			Git:      r.Git,
+			List:        r.List,
+			Clusters:    r.Clusters,
+			Git:         r.Git,
+			PullRequest: r.PullRequest,
 		}
 		generators := GetRelevantGenerators(base, m.supportedGenerators)
 

applicationset/generators/matrix_test.go

@@ -399,6 +399,8 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 		Elements: []apiextensionsv1.JSON{{Raw: []byte(`{"cluster": "Cluster","url": "Url"}`)}},
 	}
 
+	pullRequestGenerator := &argoprojiov1alpha1.PullRequestGenerator{}
+
 	testCases := []struct {
 		name               string
 		baseGenerators     []argoprojiov1alpha1.ApplicationSetNestedGenerator
@@ -431,6 +433,31 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 			gitGetRequeueAfter: time.Duration(1),
 			expected:           time.Duration(1),
 		},
+		{
+			name: "returns the minimal time for pull request",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					PullRequest: pullRequestGenerator,
+				},
+			},
+			gitGetRequeueAfter: time.Duration(15 * time.Second),
+			expected:           time.Duration(15 * time.Second),
+		},
+		{
+			name: "returns the default time if no requeueAfterSeconds is provided",
+			baseGenerators: []argoprojiov1alpha1.ApplicationSetNestedGenerator{
+				{
+					Git: gitGenerator,
+				},
+				{
+					PullRequest: pullRequestGenerator,
+				},
+			},
+			expected: time.Duration(30 * time.Minute),
+		},
 	}
 
 	for _, testCase := range testCases {
@@ -441,16 +468,18 @@ func TestMatrixGetRequeueAfter(t *testing.T) {
 
 			for _, g := range testCaseCopy.baseGenerators {
 				gitGeneratorSpec := argoprojiov1alpha1.ApplicationSetGenerator{
-					Git:  g.Git,
-					List: g.List,
+					Git:         g.Git,
+					List:        g.List,
+					PullRequest: g.PullRequest,
 				}
 				mock.On("GetRequeueAfter", &gitGeneratorSpec).Return(testCaseCopy.gitGetRequeueAfter, nil)
 			}
 
 			var matrixGenerator = NewMatrixGenerator(
 				map[string]Generator{
-					"Git":  mock,
-					"List": &ListGenerator{},
+					"Git":         mock,
+					"List":        &ListGenerator{},
+					"PullRequest": &PullRequestGenerator{},
 				},
 			)
 

assets/swagger.json

@@ -3430,6 +3430,12 @@
             "description": "Google Cloud Platform service account key.",
             "name": "gcpServiceAccountKey",
             "in": "query"
+          },
+          {
+            "type": "boolean",
+            "description": "Whether to force HTTP basic auth.",
+            "name": "forceHttpBasicAuth",
+            "in": "query"
           }
         ],
         "responses": {
@@ -3588,6 +3594,29 @@
         }
       }
     },
+    "/api/v1/settings/plugins": {
+      "get": {
+        "tags": [
+          "SettingsService"
+        ],
+        "summary": "Get returns Argo CD plugins",
+        "operationId": "SettingsService_GetPlugins",
+        "responses": {
+          "200": {
+            "description": "A successful response.",
+            "schema": {
+              "$ref": "#/definitions/clusterSettingsPluginsResponse"
+            }
+          },
+          "default": {
+            "description": "An unexpected error response.",
+            "schema": {
+              "$ref": "#/definitions/runtimeError"
+            }
+          }
+        }
+      }
+    },
     "/api/v1/stream/applications": {
       "get": {
         "tags": [
@@ -4342,6 +4371,17 @@
         }
       }
     },
+    "clusterSettingsPluginsResponse": {
+      "type": "object",
+      "properties": {
+        "plugins": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/clusterPlugin"
+          }
+        }
+      }
+    },
     "gpgkeyGnuPGPublicKeyCreateResponse": {
       "type": "object",
       "title": "Response to a public key creation request",
@@ -5668,6 +5708,10 @@
         "status": {
           "type": "string",
           "title": "Status contains the AppSet's perceived status of the managed Application resource: (Waiting, Pending, Progressing, Healthy)"
+        },
+        "step": {
+          "type": "string",
+          "title": "Step tracks which step this Application should be updated in"
         }
       }
     },
@@ -7304,6 +7348,10 @@
           "type": "boolean",
           "title": "EnableOCI specifies whether helm-oci support should be enabled for this repo"
         },
+        "forceHttpBasicAuth": {
+          "type": "boolean",
+          "title": "ForceHttpBasicAuth specifies whether Argo CD should attempt to force basic auth for HTTP connections"
+        },
         "gcpServiceAccountKey": {
           "type": "string",
           "title": "GCPServiceAccountKey specifies the service account key in JSON format to be used for getting credentials to Google Cloud Source repos"
@@ -7390,6 +7438,10 @@
           "type": "boolean",
           "title": "EnableOCI specifies whether helm-oci support should be enabled for this repo"
         },
+        "forceHttpBasicAuth": {
+          "type": "boolean",
+          "title": "ForceHttpBasicAuth specifies whether Argo CD should attempt to force basic auth for HTTP connections"
+        },
         "gcpServiceAccountKey": {
           "type": "string",
           "title": "GCPServiceAccountKey specifies the service account key in JSON format to be used for getting credentials to Google Cloud Source repos"

cmd/argocd-applicationset-controller/commands/applicationset_controller.go

@@ -46,17 +46,17 @@ func getSubmoduleEnabled() bool {
 
 func NewCommand() *cobra.Command {
 	var (
-		clientConfig              clientcmd.ClientConfig
-		metricsAddr               string
-		probeBindAddr             string
-		webhookAddr               string
-		enableLeaderElection      bool
-		namespace                 string
-		argocdRepoServer          string
-		policy                    string
-		debugLog                  bool
-		dryRun                    bool
-		enableProgressiveRollouts bool
+		clientConfig           clientcmd.ClientConfig
+		metricsAddr            string
+		probeBindAddr          string
+		webhookAddr            string
+		enableLeaderElection   bool
+		namespace              string
+		argocdRepoServer       string
+		policy                 string
+		debugLog               bool
+		dryRun                 bool
+		enableProgressiveSyncs bool
 	)
 	scheme := runtime.NewScheme()
 	_ = clientgoscheme.AddToScheme(scheme)
@@ -169,16 +169,16 @@ func NewCommand() *cobra.Command {
 
 			go func() { errors.CheckError(askPassServer.Run(askpass.SocketPath)) }()
 			if err = (&controllers.ApplicationSetReconciler{
-				Generators:                topLevelGenerators,
-				Client:                    mgr.GetClient(),
-				Scheme:                    mgr.GetScheme(),
-				Recorder:                  mgr.GetEventRecorderFor("applicationset-controller"),
-				Renderer:                  &utils.Render{},
-				Policy:                    policyObj,
-				ArgoAppClientset:          appSetConfig,
-				KubeClientset:             k8sClient,
-				ArgoDB:                    argoCDDB,
-				EnableProgressiveRollouts: enableProgressiveRollouts,
+				Generators:             topLevelGenerators,
+				Client:                 mgr.GetClient(),
+				Scheme:                 mgr.GetScheme(),
+				Recorder:               mgr.GetEventRecorderFor("applicationset-controller"),
+				Renderer:               &utils.Render{},
+				Policy:                 policyObj,
+				ArgoAppClientset:       appSetConfig,
+				KubeClientset:          k8sClient,
+				ArgoDB:                 argoCDDB,
+				EnableProgressiveSyncs: enableProgressiveSyncs,
 			}).SetupWithManager(mgr); err != nil {
 				log.Error(err, "unable to create controller", "controller", "ApplicationSet")
 				os.Exit(1)
@@ -207,7 +207,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&cmdutil.LogFormat, "logformat", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGFORMAT", "text"), "Set the logging format. One of: text|json")
 	command.Flags().StringVar(&cmdutil.LogLevel, "loglevel", env.StringFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_LOGLEVEL", "info"), "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().BoolVar(&dryRun, "dry-run", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_DRY_RUN", false), "Enable dry run mode")
-	command.Flags().BoolVar(&enableProgressiveRollouts, "enable-progressive-rollouts", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_ENABLE_PROGRESSIVE_ROLLOUTS", false), "Enable use of the experimental progressive rollouts feature.")
+	command.Flags().BoolVar(&enableProgressiveSyncs, "enable-progressive-syncs", env.ParseBoolFromEnv("ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS", false), "Enable use of the experimental progressive syncs feature.")
 	return &command
 }
 

cmd/argocd-notification/commands/controller.go

@@ -156,7 +156,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&logLevel, "loglevel", "info", "Set the logging level. One of: debug|info|warn|error")
 	command.Flags().StringVar(&logFormat, "logformat", "text", "Set the logging format. One of: text|json")
 	command.Flags().IntVar(&metricsPort, "metrics-port", defaultMetricsPort, "Metrics port")
-	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", "argocd-repo-server:8081", "Argo CD repo server address")
+	command.Flags().StringVar(&argocdRepoServer, "argocd-repo-server", common.DefaultRepoServerAddr, "Argo CD repo server address")
 	command.Flags().BoolVar(&argocdRepoServerPlaintext, "argocd-repo-server-plaintext", false, "Use a plaintext client (non-TLS) to connect to repository server")
 	command.Flags().BoolVar(&argocdRepoServerStrictTLS, "argocd-repo-server-strict-tls", false, "Perform strict validation of TLS certificates when connecting to repo server")
 	command.Flags().StringVar(&configMapName, "config-map-name", "argocd-notifications-cm", "Set notifications ConfigMap name")

cmd/argocd/commands/admin/cluster.go

@@ -265,9 +265,7 @@ func runClusterNamespacesCommand(ctx context.Context, clientConfig clientcmd.Cli
 					}
 				}
 			} else {
-				if app.Spec.Destination.Server == cluster.Server {
-					nsSet[app.Spec.Destination.Namespace] = true
-				}
+				nsSet[app.Spec.Destination.Namespace] = true
 			}
 		}
 		var namespaces []string

cmd/argocd/commands/admin/notifications.go

@@ -64,7 +64,7 @@ func NewNotificationsCommand() *cobra.Command {
 				log.Fatalf("Failed to initialize Argo CD service: %v", err)
 			}
 		})
-	toolsCommand.PersistentFlags().StringVar(&argocdRepoServer, "argocd-repo-server", "argocd-repo-server:8081", "Argo CD repo server address")
+	toolsCommand.PersistentFlags().StringVar(&argocdRepoServer, "argocd-repo-server", common.DefaultRepoServerAddr, "Argo CD repo server address")
 	toolsCommand.PersistentFlags().BoolVar(&argocdRepoServerPlaintext, "argocd-repo-server-plaintext", false, "Use a plaintext client (non-TLS) to connect to repository server")
 	toolsCommand.PersistentFlags().BoolVar(&argocdRepoServerStrictTLS, "argocd-repo-server-strict-tls", false, "Perform strict validation of TLS certificates when connecting to repo server")
 	return toolsCommand

cmd/argocd/commands/admin/settings.go

@@ -206,7 +206,7 @@ var validatorsByGroup = map[string]settingValidator{
 			}
 			ssoProvider = "Dex"
 		} else if general.OIDCConfigRAW != "" {
-			if _, err := settings.UnmarshalOIDCConfig(general.OIDCConfigRAW); err != nil {
+			if err := settings.ValidateOIDCConfig(general.OIDCConfigRAW); err != nil {
 				return "", fmt.Errorf("invalid oidc.config: %v", err)
 			}
 			ssoProvider = "OIDC"

cmd/argocd/commands/app.go

@@ -967,7 +967,7 @@ func NewApplicationDiffCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 
 					diffOption.serversideRes = res
 				} else {
-					fmt.Fprintf(os.Stderr, "Warning: local diff without --server-side-generate is deprecated and does not work with plugins. Server-side generation will be the default in v2.6.")
+					fmt.Fprintf(os.Stderr, "Warning: local diff without --server-side-generate is deprecated and does not work with plugins. Server-side generation will be the default in v2.7.")
 					conn, clusterIf := clientset.NewClusterClientOrDie()
 					defer argoio.Close(conn)
 					cluster, err := clusterIf.Get(ctx, &clusterpkg.ClusterQuery{Name: app.Spec.Destination.Name, Server: app.Spec.Destination.Server})
@@ -1376,6 +1376,7 @@ const (
 	resourceFieldCount                  = 3
 	resourceFieldNamespaceDelimiter     = "/"
 	resourceFieldNameWithNamespaceCount = 2
+	resourceExcludeIndicator            = "!"
 )
 
 // resource is GROUP:KIND:NAMESPACE/NAME or GROUP:KIND:NAME
@@ -1400,6 +1401,12 @@ func parseSelectedResources(resources []string) ([]*argoappv1.SyncOperationResou
 	}
 
 	for _, resource := range resources {
+		isExcluded := false
+		// check if the resource flag starts with a '!'
+		if strings.HasPrefix(resource, resourceExcludeIndicator) {
+			resource = strings.TrimPrefix(resource, resourceExcludeIndicator)
+			isExcluded = true
+		}
 		fields := strings.Split(resource, resourceFieldDelimiter)
 		if len(fields) != resourceFieldCount {
 			return nil, fmt.Errorf("Resource should have GROUP%sKIND%sNAME, but instead got: %s", resourceFieldDelimiter, resourceFieldDelimiter, resource)
@@ -1413,6 +1420,7 @@ func parseSelectedResources(resources []string) ([]*argoappv1.SyncOperationResou
 			Kind:      fields[1],
 			Name:      name,
 			Namespace: namespace,
+			Exclude:   isExcluded,
 		})
 	}
 	return selectedResources, nil
@@ -1447,6 +1455,16 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
   # Wait for multiple apps
   argocd app wait my-app other-app
 
+  # Wait for apps by resource
+  # Resource should be formatted as GROUP:KIND:NAME. If no GROUP is specified then :KIND:NAME.
+  argocd app wait my-app --resource :Service:my-service
+  argocd app wait my-app --resource argoproj.io:Rollout:my-rollout
+  argocd app wait my-app --resource '!apps:Deployment:my-service'
+  argocd app wait my-app --resource apps:Deployment:my-service --resource :Service:my-service
+  argocd app wait my-app --resource '!*:Service:*'
+  # Specify namespace if the application has resources with the same name in different namespaces
+  argocd app wait my-app --resource argoproj.io:Rollout:my-namespace/my-rollout
+
   # Wait for apps by label, in this example we waiting for apps that are children of another app (aka app-of-apps)
   argocd app wait -l app.kubernetes.io/instance=my-app
   argocd app wait -l app.kubernetes.io/instance!=my-app
@@ -1485,7 +1503,7 @@ func NewApplicationWaitCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().BoolVar(&watch.suspended, "suspended", false, "Wait for suspended")
 	command.Flags().BoolVar(&watch.degraded, "degraded", false, "Wait for degraded")
 	command.Flags().StringVarP(&selector, "selector", "l", "", "Wait for apps by label. Supports '=', '==', '!=', in, notin, exists & not exists. Matching apps must satisfy all of the specified label constraints.")
-	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%sKIND%sNAME. Fields may be blank. This option may be specified repeatedly", resourceFieldDelimiter, resourceFieldDelimiter))
+	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%[1]sKIND%[1]sNAME or %[2]sGROUP%[1]sKIND%[1]sNAME. Fields may be blank and '*' can be used. This option may be specified repeatedly", resourceFieldDelimiter, resourceExcludeIndicator))
 	command.Flags().BoolVar(&watch.operation, "operation", false, "Wait for pending operations")
 	command.Flags().UintVar(&timeout, "timeout", defaultCheckTimeoutSeconds, "Time out after this many seconds")
 	return command
@@ -1545,6 +1563,9 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
   # Resource should be formatted as GROUP:KIND:NAME. If no GROUP is specified then :KIND:NAME
   argocd app sync my-app --resource :Service:my-service
   argocd app sync my-app --resource argoproj.io:Rollout:my-rollout
+  argocd app sync my-app --resource '!apps:Deployment:my-service'
+  argocd app sync my-app --resource apps:Deployment:my-service --resource :Service:my-service
+  argocd app sync my-app --resource '!*:Service:*'
   # Specify namespace if the application has resources with the same name in different namespaces
   argocd app sync my-app --resource argoproj.io:Rollout:my-namespace/my-rollout`,
 		Run: func(c *cobra.Command, args []string) {
@@ -1640,6 +1661,14 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					return
 				}
 
+				// filters out only those resources that needs to be synced
+				filteredResources := filterAppResources(app, selectedResources)
+
+				// if resources are provided and no app resources match, then return error
+				if len(resources) > 0 && len(filteredResources) == 0 {
+					log.Fatalf("No matching app resources found for resource filter: %v", strings.Join(resources, ", "))
+				}
+
 				if local != "" {
 					if app.Spec.GetSource().Plugin != nil && app.Spec.GetSource().Plugin.Name != "" {
 						log.Warnf(argocommon.ConfigMapPluginCLIDeprecationWarning)
@@ -1690,7 +1719,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 					AppNamespace: &appNs,
 					DryRun:       &dryRun,
 					Revision:     &revision,
-					Resources:    selectedResources,
+					Resources:    filteredResources,
 					Prune:        &prune,
 					Manifests:    localObjsStrings,
 					Infos:        getInfos(infos),
@@ -1770,7 +1799,7 @@ func NewApplicationSyncCommand(clientOpts *argocdclient.ClientOptions) *cobra.Co
 	command.Flags().BoolVar(&dryRun, "dry-run", false, "Preview apply without affecting cluster")
 	command.Flags().BoolVar(&prune, "prune", false, "Allow deleting unexpected resources")
 	command.Flags().StringVar(&revision, "revision", "", "Sync to a specific revision. Preserves parameter overrides")
-	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%sKIND%sNAME. Fields may be blank. This option may be specified repeatedly", resourceFieldDelimiter, resourceFieldDelimiter))
+	command.Flags().StringArrayVar(&resources, "resource", []string{}, fmt.Sprintf("Sync only specific resources as GROUP%[1]sKIND%[1]sNAME or %[2]sGROUP%[1]sKIND%[1]sNAME. Fields may be blank and '*' can be used. This option may be specified repeatedly", resourceFieldDelimiter, resourceExcludeIndicator))
 	command.Flags().StringVarP(&selector, "selector", "l", "", "Sync apps that match this label. Supports '=', '==', '!=', in, notin, exists & not exists. Matching apps must satisfy all of the specified label constraints.")
 	command.Flags().StringArrayVar(&labels, "label", []string{}, "Sync only specific resources with a label. This option may be specified repeatedly.")
 	command.Flags().UintVar(&timeout, "timeout", defaultCheckTimeoutSeconds, "Time out after this many seconds")
@@ -1895,15 +1924,9 @@ func getResourceStates(app *argoappv1.Application, selectedResources []*argoappv
 	}
 	// filter out not selected resources
 	if len(selectedResources) > 0 {
-		r := []argoappv1.SyncOperationResource{}
-		for _, res := range selectedResources {
-			if res != nil {
-				r = append(r, *res)
-			}
-		}
 		for i := len(states) - 1; i >= 0; i-- {
 			res := states[i]
-			if !argo.ContainsSyncResource(res.Name, res.Namespace, schema.GroupVersionKind{Group: res.Group, Kind: res.Kind}, r) {
+			if !argo.IncludeResource(res.Name, res.Namespace, schema.GroupVersionKind{Group: res.Group, Kind: res.Kind}, selectedResources) {
 				states = append(states[:i], states[i+1:]...)
 			}
 		}
@@ -1911,6 +1934,26 @@ func getResourceStates(app *argoappv1.Application, selectedResources []*argoappv
 	return states
 }
 
+// filterAppResources selects the app resources that match atleast one of the resource filters.
+func filterAppResources(app *argoappv1.Application, selectedResources []*argoappv1.SyncOperationResource) []*argoappv1.SyncOperationResource {
+	var filteredResources []*argoappv1.SyncOperationResource
+	if app != nil && len(selectedResources) > 0 {
+		for i := range app.Status.Resources {
+			appResource := app.Status.Resources[i]
+			if (argo.IncludeResource(appResource.Name, appResource.Namespace,
+				schema.GroupVersionKind{Group: appResource.Group, Kind: appResource.Kind}, selectedResources)) {
+				filteredResources = append(filteredResources, &argoappv1.SyncOperationResource{
+					Group:     appResource.Group,
+					Kind:      appResource.Kind,
+					Name:      appResource.Name,
+					Namespace: appResource.Namespace,
+				})
+			}
+		}
+	}
+	return filteredResources
+}
+
 func groupResourceStates(app *argoappv1.Application, selectedResources []*argoappv1.SyncOperationResource) map[string]*resourceState {
 	resStates := make(map[string]*resourceState)
 	for _, result := range getResourceStates(app, selectedResources) {

cmd/argocd/commands/app_test.go

@@ -904,11 +904,220 @@ func Test_unset_nothingToUnset(t *testing.T) {
 	}
 }
 
+func TestFilterAppResources(t *testing.T) {
+	// App resources
+	var (
+		appReplicaSet1 = v1alpha1.ResourceStatus{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name1",
+		}
+		appReplicaSet2 = v1alpha1.ResourceStatus{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name2",
+		}
+		appJob = v1alpha1.ResourceStatus{
+			Group:     "batch",
+			Kind:      "Job",
+			Namespace: "default",
+			Name:      "job-name",
+		}
+		appService1 = v1alpha1.ResourceStatus{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name1",
+		}
+		appService2 = v1alpha1.ResourceStatus{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name2",
+		}
+		appDeployment = v1alpha1.ResourceStatus{
+			Group:     "apps",
+			Kind:      "Deployment",
+			Namespace: "default",
+			Name:      "deployment-name",
+		}
+	)
+	app := v1alpha1.Application{
+		Status: v1alpha1.ApplicationStatus{
+			Resources: []v1alpha1.ResourceStatus{
+				appReplicaSet1, appReplicaSet2, appJob, appService1, appService2, appDeployment},
+		},
+	}
+	// Resource filters
+	var (
+		blankValues = argoappv1.SyncOperationResource{
+			Group:     "",
+			Kind:      "",
+			Name:      "",
+			Namespace: "",
+			Exclude:   false}
+		// *:*:*
+		includeAllResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "*",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   false}
+		// !*:*:*
+		excludeAllResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "*",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   true}
+		// *:Service:*
+		includeAllServiceResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "Service",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   false}
+		// !*:Service:*
+		excludeAllServiceResources = argoappv1.SyncOperationResource{
+			Group:     "*",
+			Kind:      "Service",
+			Name:      "*",
+			Namespace: "",
+			Exclude:   true}
+		// apps:ReplicaSet:replicaSet-name1
+		includeReplicaSet1Resource = argoappv1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Name:      "replicaSet-name1",
+			Namespace: "",
+			Exclude:   false}
+		// !apps:ReplicaSet:replicaSet-name2
+		excludeReplicaSet2Resource = argoappv1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Name:      "replicaSet-name2",
+			Namespace: "",
+			Exclude:   true}
+	)
+
+	// Filtered resources
+	var (
+		replicaSet1 = v1alpha1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name1",
+		}
+		replicaSet2 = v1alpha1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "ReplicaSet",
+			Namespace: "default",
+			Name:      "replicaSet-name2",
+		}
+		job = v1alpha1.SyncOperationResource{
+			Group:     "batch",
+			Kind:      "Job",
+			Namespace: "default",
+			Name:      "job-name",
+		}
+		service1 = v1alpha1.SyncOperationResource{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name1",
+		}
+		service2 = v1alpha1.SyncOperationResource{
+			Group:     "",
+			Kind:      "Service",
+			Namespace: "default",
+			Name:      "service-name2",
+		}
+		deployment = v1alpha1.SyncOperationResource{
+			Group:     "apps",
+			Kind:      "Deployment",
+			Namespace: "default",
+			Name:      "deployment-name",
+		}
+	)
+	tests := []struct {
+		testName          string
+		selectedResources []*argoappv1.SyncOperationResource
+		expectedResult    []*argoappv1.SyncOperationResource
+	}{
+		//--resource apps:ReplicaSet:replicaSet-name1 --resource *:Service:*
+		{testName: "Include ReplicaSet replicaSet-name1 resouce and all service resources",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeAllServiceResources, &includeReplicaSet1Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &service1, &service2},
+		},
+		//--resource apps:ReplicaSet:replicaSet-name1 --resource !*:Service:*
+		{testName: "Include ReplicaSet replicaSet-name1 resouce and exclude all service resources",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeAllServiceResources, &includeReplicaSet1Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &deployment},
+		},
+		// --resource !apps:ReplicaSet:replicaSet-name2 --resource !*:Service:*
+		{testName: "Exclude ReplicaSet replicaSet-name2 resouce and all service resources",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeReplicaSet2Resource, &excludeAllServiceResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &service1, &service2, &deployment},
+		},
+		// --resource !apps:ReplicaSet:replicaSet-name2
+		{testName: "Exclude ReplicaSet replicaSet-name2 resouce",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeReplicaSet2Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &job, &service1, &service2, &deployment},
+		},
+		// --resource apps:ReplicaSet:replicaSet-name1
+		{testName: "Include ReplicaSet replicaSet-name1 resouce",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeReplicaSet1Resource},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1},
+		},
+		// --resource !*:Service:*
+		{testName: "Exclude Service resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeAllServiceResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &deployment},
+		},
+		// --resource *:Service:*
+		{testName: "Include Service resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeAllServiceResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&service1, &service2},
+		},
+		// --resource !*:*:*
+		{testName: "Exclude all resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&excludeAllResources},
+			expectedResult:    nil,
+		},
+		// --resource *:*:*
+		{testName: "Include all resouces",
+			selectedResources: []*argoappv1.SyncOperationResource{&includeAllResources},
+			expectedResult:    []*argoappv1.SyncOperationResource{&replicaSet1, &replicaSet2, &job, &service1, &service2, &deployment},
+		},
+		{testName: "No Filters",
+			selectedResources: []*argoappv1.SyncOperationResource{&blankValues},
+			expectedResult:    nil,
+		},
+		{testName: "Empty Filter",
+			selectedResources: []*argoappv1.SyncOperationResource{},
+			expectedResult:    nil,
+		},
+	}
+
+	for _, test := range tests {
+		t.Run(test.testName, func(t *testing.T) {
+			filteredResources := filterAppResources(&app, test.selectedResources)
+			assert.Equal(t, test.expectedResult, filteredResources)
+		})
+	}
+}
+
 func TestParseSelectedResources(t *testing.T) {
-	resources := []string{"v1alpha:Application:test", "v1alpha:Application:namespace/test"}
+	resources := []string{"v1alpha:Application:test",
+		"v1alpha:Application:namespace/test",
+		"!v1alpha:Application:test",
+		"apps:Deployment:default/test",
+		"!*:*:*"}
 	operationResources, err := parseSelectedResources(resources)
 	assert.NoError(t, err)
-	assert.Len(t, operationResources, 2)
+	assert.Len(t, operationResources, 5)
 	assert.Equal(t, *operationResources[0], v1alpha1.SyncOperationResource{
 		Namespace: "",
 		Name:      "test",
@@ -921,6 +1130,27 @@ func TestParseSelectedResources(t *testing.T) {
 		Kind:      "Application",
 		Group:     "v1alpha",
 	})
+	assert.Equal(t, *operationResources[2], v1alpha1.SyncOperationResource{
+		Namespace: "",
+		Name:      "test",
+		Kind:      "Application",
+		Group:     "v1alpha",
+		Exclude:   true,
+	})
+	assert.Equal(t, *operationResources[3], v1alpha1.SyncOperationResource{
+		Namespace: "default",
+		Name:      "test",
+		Kind:      "Deployment",
+		Group:     "apps",
+		Exclude:   false,
+	})
+	assert.Equal(t, *operationResources[4], v1alpha1.SyncOperationResource{
+		Namespace: "",
+		Name:      "*",
+		Kind:      "*",
+		Group:     "*",
+		Exclude:   true,
+	})
 }
 
 func TestParseSelectedResourcesIncorrect(t *testing.T) {

cmd/argocd/commands/cluster.go

@@ -27,6 +27,17 @@ import (
 	"github.com/argoproj/argo-cd/v2/util/text/label"
 )
 
+const (
+	// type of the cluster ID is 'name'
+	clusterIdTypeName = "name"
+	// cluster field is 'name'
+	clusterFieldName = "name"
+	// cluster field is 'namespaces'
+	clusterFieldNamespaces = "namespaces"
+	// indicates managing all namespaces
+	allNamespaces = "*"
+)
+
 // NewClusterCommand returns a new instance of an `argocd cluster` command
 func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientcmd.PathOptions) *cobra.Command {
 	var command = &cobra.Command{
@@ -47,7 +58,10 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc
 
   # Remove a target cluster context from ArgoCD
   argocd cluster rm example-cluster
-`,
+
+  # Set a target cluster context from ArgoCD
+  argocd cluster set CLUSTER_NAME --name new-cluster-name --namespace '*'
+  argocd cluster set CLUSTER_NAME --name new-cluster-name --namespace namespace-one --namespace namespace-two`,
 	}
 
 	command.AddCommand(NewClusterAddCommand(clientOpts, pathOpts))
@@ -55,6 +69,7 @@ func NewClusterCommand(clientOpts *argocdclient.ClientOptions, pathOpts *clientc
 	command.AddCommand(NewClusterListCommand(clientOpts))
 	command.AddCommand(NewClusterRemoveCommand(clientOpts, pathOpts))
 	command.AddCommand(NewClusterRotateAuthCommand(clientOpts))
+	command.AddCommand(NewClusterSetCommand(clientOpts))
 	return command
 }
 
@@ -185,6 +200,72 @@ func getRestConfig(pathOpts *clientcmd.PathOptions, ctxName string) (*rest.Confi
 	return conf, nil
 }
 
+// NewClusterSetCommand returns a new instance of an `argocd cluster set` command
+func NewClusterSetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
+	var (
+		clusterOptions cmdutil.ClusterOptions
+		clusterName    string
+	)
+	var command = &cobra.Command{
+		Use:   "set NAME",
+		Short: "Set cluster information",
+		Example: `  # Set cluster information
+  argocd cluster set CLUSTER_NAME --name new-cluster-name --namespace '*'
+  argocd cluster set CLUSTER_NAME --name new-cluster-name --namespace namespace-one --namespace namespace-two`,
+		Run: func(c *cobra.Command, args []string) {
+			ctx := c.Context()
+			if len(args) != 1 {
+				c.HelpFunc()(c, args)
+				os.Exit(1)
+			}
+			// name of the cluster whose fields have to be updated.
+			clusterName = args[0]
+			conn, clusterIf := headless.NewClientOrDie(clientOpts, c).NewClusterClientOrDie()
+			defer io.Close(conn)
+			// checks the fields that needs to be updated
+			updatedFields := checkFieldsToUpdate(clusterOptions)
+			namespaces := clusterOptions.Namespaces
+			// check if all namespaces have to be considered
+			if len(namespaces) == 1 && strings.EqualFold(namespaces[0], allNamespaces) {
+				namespaces[0] = ""
+			}
+			if updatedFields != nil {
+				clusterUpdateRequest := clusterpkg.ClusterUpdateRequest{
+					Cluster: &argoappv1.Cluster{
+						Name:       clusterOptions.Name,
+						Namespaces: namespaces,
+					},
+					UpdatedFields: updatedFields,
+					Id: &clusterpkg.ClusterID{
+						Type:  clusterIdTypeName,
+						Value: clusterName,
+					},
+				}
+				_, err := clusterIf.Update(ctx, &clusterUpdateRequest)
+				errors.CheckError(err)
+				fmt.Printf("Cluster '%s' updated.\n", clusterName)
+			} else {
+				fmt.Print("Specify the cluster field to be updated.\n")
+			}
+		},
+	}
+	command.Flags().StringVar(&clusterOptions.Name, "name", "", "Overwrite the cluster name")
+	command.Flags().StringArrayVar(&clusterOptions.Namespaces, "namespace", nil, "List of namespaces which are allowed to manage. Specify '*' to manage all namespaces")
+	return command
+}
+
+// checkFieldsToUpdate returns the fields that needs to be updated
+func checkFieldsToUpdate(clusterOptions cmdutil.ClusterOptions) []string {
+	var updatedFields []string
+	if clusterOptions.Name != "" {
+		updatedFields = append(updatedFields, clusterFieldName)
+	}
+	if clusterOptions.Namespaces != nil {
+		updatedFields = append(updatedFields, clusterFieldNamespaces)
+	}
+	return updatedFields
+}
+
 // NewClusterGetCommand returns a new instance of an `argocd cluster get` command
 func NewClusterGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 	var (

cmd/argocd/commands/completion.go

@@ -146,6 +146,7 @@ __argocd_custom_func() {
 			;;
 		argocd_cluster_get | \
 		argocd_cluster_rm | \
+		argocd_cluster_set | \
 		argocd_login | \
 		argocd_cluster_add)
 			__argocd_list_servers

cmd/argocd/commands/login.go

@@ -12,7 +12,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/coreos/go-oidc"
+	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/golang-jwt/jwt/v4"
 	log "github.com/sirupsen/logrus"
 	"github.com/skratchdot/open-golang/open"

cmd/argocd/commands/relogin.go

@@ -4,7 +4,7 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/coreos/go-oidc"
+	"github.com/coreos/go-oidc/v3/oidc"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 

cmd/argocd/commands/repo.go

@@ -160,6 +160,7 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 			repoOpts.Repo.GithubAppInstallationId = repoOpts.GithubAppInstallationId
 			repoOpts.Repo.GitHubAppEnterpriseBaseURL = repoOpts.GitHubAppEnterpriseBaseURL
 			repoOpts.Repo.Proxy = repoOpts.Proxy
+			repoOpts.Repo.ForceHttpBasicAuth = repoOpts.ForceHttpBasicAuth
 
 			if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
 				errors.CheckError(fmt.Errorf("Must specify --name for repos of type 'helm'"))
@@ -199,6 +200,7 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 				Proxy:                      repoOpts.Proxy,
 				Project:                    repoOpts.Repo.Project,
 				GcpServiceAccountKey:       repoOpts.Repo.GCPServiceAccountKey,
+				ForceHttpBasicAuth:         repoOpts.Repo.ForceHttpBasicAuth,
 			}
 			_, err := repoIf.ValidateAccess(ctx, &repoAccessReq)
 			errors.CheckError(err)
@@ -309,7 +311,7 @@ func NewRepoListCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 		},
 	}
 	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|url")
-	command.Flags().StringVar(&refresh, "refresh", "", "Force a cache refresh on connection status")
+	command.Flags().StringVar(&refresh, "refresh", "", "Force a cache refresh on connection status , must be one of: 'hard'")
 	return command
 }
 
@@ -360,6 +362,6 @@ func NewRepoGetCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
 		},
 	}
 	command.Flags().StringVarP(&output, "output", "o", "wide", "Output format. One of: json|yaml|wide|url")
-	command.Flags().StringVar(&refresh, "refresh", "", "Force a cache refresh on connection status")
+	command.Flags().StringVar(&refresh, "refresh", "", "Force a cache refresh on connection status , must be one of: 'hard'")
 	return command
 }

cmd/argocd/commands/repocreds.go

@@ -175,6 +175,7 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
 	command.Flags().BoolVar(&repo.EnableOCI, "enable-oci", false, "Specifies whether helm-oci support should be enabled for this repo")
 	command.Flags().StringVar(&repo.Type, "type", common.DefaultRepoType, "type of the repository, \"git\" or \"helm\"")
 	command.Flags().StringVar(&gcpServiceAccountKeyPath, "gcp-service-account-key-path", "", "service account key for the Google Cloud Platform")
+	command.Flags().BoolVar(&repo.ForceHttpBasicAuth, "force-http-basic-auth", false, "whether to force basic auth when connecting via HTTP")
 	return command
 }
 

cmd/util/applicationset.go

@@ -61,6 +61,6 @@ func readAppset(yml []byte, appsets *[]*argoprojiov1alpha1.ApplicationSet) error
 		*appsets = append(*appsets, &appset)
 
 	}
-
-	return fmt.Errorf("error reading app set: %w", err)
+	// we reach here if there is no error found while reading the Application Set
+	return nil
 }

cmd/util/repo.go

@@ -23,6 +23,7 @@ type RepoOptions struct {
 	GitHubAppEnterpriseBaseURL     string
 	Proxy                          string
 	GCPServiceAccountKeyPath       string
+	ForceHttpBasicAuth             bool
 }
 
 func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
@@ -44,4 +45,5 @@ func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
 	command.Flags().StringVar(&opts.GitHubAppEnterpriseBaseURL, "github-app-enterprise-base-url", "", "base url to use when using GitHub Enterprise (e.g. https://ghe.example.com/api/v3")
 	command.Flags().StringVar(&opts.Proxy, "proxy", "", "use proxy to access repository")
 	command.Flags().StringVar(&opts.GCPServiceAccountKeyPath, "gcp-service-account-key-path", "", "service account key for the Google Cloud Platform")
+	command.Flags().BoolVar(&opts.ForceHttpBasicAuth, "force-http-basic-auth", false, "whether to force use of basic auth when connecting repository via HTTP")
 }

cmpserver/apiclient/plugin.pb.go

@@ -318,6 +318,7 @@ func (m *ManifestResponse) GetSourceType() string {
 
 type RepositoryResponse struct {
 	IsSupported          bool     `protobuf:"varint,1,opt,name=isSupported,proto3" json:"isSupported,omitempty"`
+	IsDiscoveryEnabled   bool     `protobuf:"varint,2,opt,name=isDiscoveryEnabled,proto3" json:"isDiscoveryEnabled,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@@ -363,6 +364,13 @@ func (m *RepositoryResponse) GetIsSupported() bool {
 	return false
 }
 
+func (m *RepositoryResponse) GetIsDiscoveryEnabled() bool {
+	if m != nil {
+		return m.IsDiscoveryEnabled
+	}
+	return false
+}
+
 // ParametersAnnouncementResponse contains a list of announcements. This list represents all the parameters which a CMP
 // is able to accept.
 type ParametersAnnouncementResponse struct {
@@ -472,42 +480,43 @@ func init() {
 func init() { proto.RegisterFile("cmpserver/plugin/plugin.proto", fileDescriptor_b21875a7079a06ed) }
 
 var fileDescriptor_b21875a7079a06ed = []byte{
-	// 558 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x54, 0xc1, 0x6e, 0xd3, 0x4c,
-	0x10, 0xae, 0x9b, 0xb4, 0x4d, 0x26, 0x95, 0xfe, 0x68, 0xf5, 0x0b, 0x4c, 0xd4, 0x86, 0xe0, 0x03,
-	0xca, 0x85, 0x44, 0x32, 0x88, 0x1b, 0x12, 0x2d, 0x2a, 0xad, 0x40, 0x41, 0xd1, 0x96, 0x0b, 0xdc,
-	0xb6, 0xce, 0x24, 0x59, 0x6a, 0xef, 0x2e, 0xeb, 0xb5, 0xa5, 0xc0, 0x85, 0xf7, 0xe0, 0x01, 0x78,
-	0x15, 0x8e, 0x3c, 0x02, 0xca, 0x93, 0x20, 0xaf, 0xed, 0xd8, 0xa2, 0x6d, 0x38, 0x79, 0xe6, 0x9b,
-	0x99, 0x6f, 0xbf, 0x9d, 0x99, 0x35, 0x1c, 0x07, 0x91, 0x8a, 0x51, 0xa7, 0xa8, 0xc7, 0x2a, 0x4c,
-	0x16, 0x5c, 0x14, 0x9f, 0x91, 0xd2, 0xd2, 0x48, 0xb2, 0x9f, 0x7b, 0xbd, 0xb3, 0x05, 0x37, 0xcb,
-	0xe4, 0x6a, 0x14, 0xc8, 0x68, 0xcc, 0xf4, 0x42, 0x2a, 0x2d, 0x3f, 0x59, 0xe3, 0x49, 0x30, 0x1b,
-	0xa7, 0xfe, 0x58, 0xa3, 0x92, 0x05, 0x8d, 0x35, 0xb9, 0x91, 0x7a, 0x55, 0x33, 0x73, 0x3a, 0xef,
-	0x9b, 0x03, 0xdd, 0x13, 0xa5, 0x2e, 0x8d, 0x46, 0x16, 0x51, 0xfc, 0x9c, 0x60, 0x6c, 0xc8, 0x0b,
-	0x68, 0x45, 0x68, 0xd8, 0x8c, 0x19, 0xe6, 0x3a, 0x03, 0x67, 0xd8, 0xf1, 0x1f, 0x8e, 0x0a, 0x11,
-	0x13, 0x26, 0xf8, 0x1c, 0x63, 0x53, 0xa4, 0x4e, 0x8a, 0xb4, 0x8b, 0x1d, 0xba, 0x29, 0x21, 0x1e,
-	0x34, 0xe7, 0x3c, 0x44, 0x77, 0xd7, 0x96, 0x1e, 0x96, 0xa5, 0xaf, 0x79, 0x88, 0x17, 0x3b, 0xd4,
-	0xc6, 0x4e, 0xdb, 0x70, 0xa0, 0x73, 0x0a, 0xef, 0x87, 0x03, 0xf7, 0xef, 0xa0, 0x25, 0x2e, 0x1c,
-	0x30, 0xa5, 0xde, 0xb1, 0x08, 0xad, 0x90, 0x36, 0x2d, 0x5d, 0xd2, 0x07, 0x60, 0x4a, 0x51, 0x0c,
-	0xa7, 0xcc, 0x2c, 0xed, 0x51, 0x6d, 0x5a, 0x43, 0x48, 0x0f, 0x5a, 0xc1, 0x12, 0x83, 0xeb, 0x38,
-	0x89, 0xdc, 0x86, 0x8d, 0x6e, 0x7c, 0x42, 0xa0, 0x19, 0xf3, 0x2f, 0xe8, 0x36, 0x07, 0xce, 0xb0,
-	0x41, 0xad, 0x4d, 0x3c, 0x68, 0xa0, 0x48, 0xdd, 0xbd, 0x41, 0x63, 0xd8, 0xf1, 0xbb, 0xa5, 0xe6,
-	0x33, 0x91, 0x9e, 0x09, 0xa3, 0x57, 0x34, 0x0b, 0x7a, 0xcf, 0xa0, 0x55, 0x02, 0x19, 0x87, 0xa8,
-	0x64, 0x59, 0x9b, 0xfc, 0x0f, 0x7b, 0x29, 0x0b, 0x13, 0x2c, 0xe4, 0xe4, 0x8e, 0x37, 0x85, 0x6e,
-	0x75, 0xbd, 0x58, 0x49, 0x11, 0x23, 0x39, 0x82, 0x76, 0x54, 0x60, 0xb1, 0xeb, 0x0c, 0x1a, 0xc3,
-	0x36, 0xad, 0x80, 0xec, 0x6e, 0xb1, 0x4c, 0x74, 0x80, 0xef, 0x57, 0xaa, 0x24, 0xab, 0x21, 0xde,
-	0x73, 0x20, 0x74, 0x33, 0xc8, 0x0d, 0xe7, 0x00, 0x3a, 0x3c, 0xbe, 0x4c, 0x94, 0x92, 0xda, 0xe0,
-	0xcc, 0x0a, 0x6b, 0xd1, 0x3a, 0xe4, 0x7d, 0x85, 0xfe, 0x94, 0x69, 0x16, 0xa1, 0x41, 0x1d, 0x9f,
-	0x08, 0x21, 0x13, 0x11, 0x60, 0x84, 0xa2, 0xd2, 0xf5, 0x01, 0xee, 0xa9, 0x32, 0xa3, 0x9e, 0x90,
-	0x8b, 0xec, 0xf8, 0x8f, 0x46, 0xb5, 0x0d, 0x9a, 0xde, 0x96, 0x49, 0xef, 0x20, 0xf0, 0x8e, 0xa0,
-	0x99, 0x6d, 0x40, 0xd6, 0xa4, 0x60, 0x99, 0x88, 0x6b, 0x2b, 0xf0, 0x90, 0xe6, 0x8e, 0xff, 0x7d,
-	0x17, 0x8e, 0x5f, 0x49, 0x31, 0xe7, 0x8b, 0x09, 0x13, 0x6c, 0x61, 0x6b, 0xa6, 0x76, 0x06, 0x97,
-	0xa8, 0x53, 0x1e, 0x20, 0x79, 0x03, 0xdd, 0x73, 0x14, 0xa8, 0x99, 0xc1, 0xb2, 0x9d, 0xc4, 0x2d,
-	0xe7, 0xf4, 0xf7, 0x0a, 0xf7, 0xdc, 0x9b, 0x0b, 0x9b, 0x5f, 0xd1, 0xdb, 0x19, 0x3a, 0xe4, 0x2d,
-	0xfc, 0x37, 0x61, 0x26, 0x58, 0x56, 0x5d, 0xdc, 0x42, 0xd5, 0x2b, 0x23, 0x37, 0x7b, 0x6e, 0xc9,
-	0x18, 0x3c, 0x38, 0x47, 0x73, 0x7b, 0x63, 0xb7, 0xd0, 0x3e, 0x2e, 0x23, 0xdb, 0x47, 0x92, 0x1d,
-	0x71, 0xfa, 0xf2, 0xe7, 0xba, 0xef, 0xfc, 0x5a, 0xf7, 0x9d, 0xdf, 0xeb, 0xbe, 0xf3, 0xd1, 0xff,
-	0xc7, 0xd3, 0xaf, 0x7e, 0x20, 0x4c, 0xf1, 0x20, 0xe4, 0x28, 0xcc, 0xd5, 0xbe, 0x7d, 0xee, 0x4f,
-	0xff, 0x04, 0x00, 0x00, 0xff, 0xff, 0x33, 0x34, 0xb3, 0x95, 0x5e, 0x04, 0x00, 0x00,
+	// 576 bytes of a gzipped FileDescriptorProto
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x94, 0xdd, 0x6e, 0x12, 0x4f,
+	0x14, 0xc0, 0xbb, 0x85, 0xb6, 0x70, 0x68, 0xf2, 0x27, 0x93, 0x7f, 0x74, 0x25, 0x2d, 0xe2, 0x5e,
+	0x18, 0x6e, 0x84, 0x04, 0xbd, 0x35, 0xb1, 0x55, 0x6c, 0xa3, 0xc1, 0x90, 0xa9, 0x37, 0x7a, 0x37,
+	0x1d, 0x0e, 0x30, 0x76, 0x77, 0x66, 0x9c, 0x99, 0xdd, 0x04, 0xbd, 0xf1, 0x3d, 0x7c, 0x00, 0x5f,
+	0xc5, 0x4b, 0x1f, 0xc1, 0xf4, 0x49, 0x0c, 0xb3, 0xbb, 0x40, 0x6c, 0x8b, 0x57, 0x7b, 0x3e, 0x7f,
+	0x7b, 0xbe, 0x32, 0x70, 0xcc, 0x13, 0x6d, 0xd1, 0x64, 0x68, 0xfa, 0x3a, 0x4e, 0x67, 0x42, 0x16,
+	0x9f, 0x9e, 0x36, 0xca, 0x29, 0xb2, 0x9f, 0x6b, 0xad, 0xe1, 0x4c, 0xb8, 0x79, 0x7a, 0xd9, 0xe3,
+	0x2a, 0xe9, 0x33, 0x33, 0x53, 0xda, 0xa8, 0x4f, 0x5e, 0x78, 0xc2, 0x27, 0xfd, 0x6c, 0xd0, 0x37,
+	0xa8, 0x55, 0x81, 0xf1, 0xa2, 0x70, 0xca, 0x2c, 0x36, 0xc4, 0x1c, 0x17, 0x7d, 0x0b, 0xa0, 0x79,
+	0xa2, 0xf5, 0x85, 0x33, 0xc8, 0x12, 0x8a, 0x9f, 0x53, 0xb4, 0x8e, 0x3c, 0x87, 0x5a, 0x82, 0x8e,
+	0x4d, 0x98, 0x63, 0x61, 0xd0, 0x09, 0xba, 0x8d, 0xc1, 0xc3, 0x5e, 0x51, 0xc4, 0x88, 0x49, 0x31,
+	0x45, 0xeb, 0x8a, 0xd0, 0x51, 0x11, 0x76, 0xbe, 0x43, 0x57, 0x29, 0x24, 0x82, 0xea, 0x54, 0xc4,
+	0x18, 0xee, 0xfa, 0xd4, 0xc3, 0x32, 0xf5, 0xb5, 0x88, 0xf1, 0x7c, 0x87, 0x7a, 0xdf, 0x69, 0x1d,
+	0x0e, 0x4c, 0x8e, 0x88, 0x7e, 0x04, 0x70, 0xff, 0x0e, 0x2c, 0x09, 0xe1, 0x80, 0x69, 0xfd, 0x8e,
+	0x25, 0xe8, 0x0b, 0xa9, 0xd3, 0x52, 0x25, 0x6d, 0x00, 0xa6, 0x35, 0xc5, 0x78, 0xcc, 0xdc, 0xdc,
+	0xff, 0xaa, 0x4e, 0x37, 0x2c, 0xa4, 0x05, 0x35, 0x3e, 0x47, 0x7e, 0x65, 0xd3, 0x24, 0xac, 0x78,
+	0xef, 0x4a, 0x27, 0x04, 0xaa, 0x56, 0x7c, 0xc1, 0xb0, 0xda, 0x09, 0xba, 0x15, 0xea, 0x65, 0x12,
+	0x41, 0x05, 0x65, 0x16, 0xee, 0x75, 0x2a, 0xdd, 0xc6, 0xa0, 0x59, 0xd6, 0x3c, 0x94, 0xd9, 0x50,
+	0x3a, 0xb3, 0xa0, 0x4b, 0x67, 0xf4, 0x0c, 0x6a, 0xa5, 0x61, 0xc9, 0x90, 0xeb, 0xb2, 0xbc, 0x4c,
+	0xfe, 0x87, 0xbd, 0x8c, 0xc5, 0x29, 0x16, 0xe5, 0xe4, 0x4a, 0x34, 0x86, 0xe6, 0xba, 0x3d, 0xab,
+	0x95, 0xb4, 0x48, 0x8e, 0xa0, 0x9e, 0x14, 0x36, 0x1b, 0x06, 0x9d, 0x4a, 0xb7, 0x4e, 0xd7, 0x86,
+	0x65, 0x6f, 0x56, 0xa5, 0x86, 0xe3, 0xfb, 0x85, 0x2e, 0x61, 0x1b, 0x96, 0x68, 0x0a, 0x84, 0xae,
+	0x16, 0xb9, 0x62, 0x76, 0xa0, 0x21, 0xec, 0x45, 0xaa, 0xb5, 0x32, 0x0e, 0x27, 0xbe, 0xb0, 0x1a,
+	0xdd, 0x34, 0x91, 0x1e, 0x10, 0x61, 0x5f, 0x09, 0xcb, 0x55, 0x86, 0x66, 0x31, 0x94, 0xec, 0x32,
+	0xc6, 0x89, 0xe7, 0xd7, 0xe8, 0x2d, 0x9e, 0xe8, 0x2b, 0xb4, 0xc7, 0xcc, 0xb0, 0x04, 0x1d, 0x1a,
+	0x7b, 0x22, 0xa5, 0x4a, 0x25, 0xc7, 0x04, 0xe5, 0xba, 0x8f, 0x0f, 0x70, 0x4f, 0x97, 0x11, 0x9b,
+	0x01, 0x79, 0x53, 0x8d, 0xc1, 0xa3, 0xde, 0xc6, 0xc5, 0x8d, 0x6f, 0x8b, 0xa4, 0x77, 0x00, 0xa2,
+	0x23, 0xa8, 0x2e, 0x2f, 0x66, 0x39, 0x54, 0x3e, 0x4f, 0xe5, 0x95, 0x6f, 0xe8, 0x90, 0xe6, 0xca,
+	0xe0, 0xfb, 0x2e, 0x1c, 0xbf, 0x54, 0x72, 0x2a, 0x66, 0x23, 0x26, 0xd9, 0xcc, 0xe7, 0x8c, 0xfd,
+	0xce, 0x2e, 0xd0, 0x64, 0x82, 0x23, 0x79, 0x03, 0xcd, 0x33, 0x94, 0x68, 0x98, 0xc3, 0x72, 0xfc,
+	0x24, 0x2c, 0xf7, 0xfa, 0xf7, 0xc9, 0xb7, 0xc2, 0x9b, 0x07, 0x9e, 0xb7, 0x18, 0xed, 0x74, 0x03,
+	0xf2, 0x16, 0xfe, 0x1b, 0x31, 0xc7, 0xe7, 0xeb, 0xa9, 0x6f, 0x41, 0xb5, 0x4a, 0xcf, 0xcd, 0x1d,
+	0x79, 0x18, 0x83, 0x07, 0x67, 0xe8, 0x6e, 0x1f, 0xec, 0x16, 0xec, 0xe3, 0xd2, 0xb3, 0x7d, 0x25,
+	0xcb, 0x5f, 0x9c, 0xbe, 0xf8, 0x79, 0xdd, 0x0e, 0x7e, 0x5d, 0xb7, 0x83, 0xdf, 0xd7, 0xed, 0xe0,
+	0xe3, 0xe0, 0x1f, 0x4f, 0xc5, 0xfa, 0xc1, 0x61, 0x5a, 0xf0, 0x58, 0xa0, 0x74, 0x97, 0xfb, 0xfe,
+	0x79, 0x78, 0xfa, 0x27, 0x00, 0x00, 0xff, 0xff, 0x23, 0x88, 0x8e, 0xd3, 0x8e, 0x04, 0x00, 0x00,
 }
 
 // Reference imports to suppress errors if they are not otherwise used.
@@ -1025,6 +1034,16 @@ func (m *RepositoryResponse) MarshalToSizedBuffer(dAtA []byte) (int, error) {
 		i -= len(m.XXX_unrecognized)
 		copy(dAtA[i:], m.XXX_unrecognized)
 	}
+	if m.IsDiscoveryEnabled {
+		i--
+		if m.IsDiscoveryEnabled {
+			dAtA[i] = 1
+		} else {
+			dAtA[i] = 0
+		}
+		i--
+		dAtA[i] = 0x10
+	}
 	if m.IsSupported {
 		i--
 		if m.IsSupported {
@@ -1247,6 +1266,9 @@ func (m *RepositoryResponse) Size() (n int) {
 	if m.IsSupported {
 		n += 2
 	}
+	if m.IsDiscoveryEnabled {
+		n += 2
+	}
 	if m.XXX_unrecognized != nil {
 		n += len(m.XXX_unrecognized)
 	}
@@ -1893,6 +1915,26 @@ func (m *RepositoryResponse) Unmarshal(dAtA []byte) error {
 				}
 			}
 			m.IsSupported = bool(v != 0)
+		case 2:
+			if wireType != 0 {
+				return fmt.Errorf("proto: wrong wireType = %d for field IsDiscoveryEnabled", wireType)
+			}
+			var v int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowPlugin
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				v |= int(b&0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			m.IsDiscoveryEnabled = bool(v != 0)
 		default:
 			iNdEx = preIndex
 			skippy, err := skipPlugin(dAtA[iNdEx:])

cmpserver/plugin/config.go

@@ -22,11 +22,11 @@ type PluginConfig struct {
 }
 
 type PluginConfigSpec struct {
-	Version          string     `json:"version"`
-	Init             Command    `json:"init,omitempty"`
-	Generate         Command    `json:"generate"`
-	Discover         Discover   `json:"discover"`
-	Parameters       Parameters `yaml:"parameters"`
+	Version    string     `json:"version"`
+	Init       Command    `json:"init,omitempty"`
+	Generate   Command    `json:"generate"`
+	Discover   Discover   `json:"discover"`
+	Parameters Parameters `yaml:"parameters"`
 }
 
 //Discover holds find and fileName
@@ -84,9 +84,7 @@ func ValidatePluginConfig(config PluginConfig) error {
 	if len(config.Spec.Generate.Command) == 0 {
 		return fmt.Errorf("invalid plugin configuration file. spec.generate command should be non-empty")
 	}
-	if config.Spec.Discover.Find.Glob == "" && len(config.Spec.Discover.Find.Command.Command) == 0 && config.Spec.Discover.FileName == "" {
-		return fmt.Errorf("invalid plugin configuration file. atleast one of discover.find.command or discover.find.glob or discover.fineName should be non-empty")
-	}
+	// discovery field is optional as apps can now specify plugin names directly
 	return nil
 }
 

cmpserver/plugin/plugin.go

@@ -273,11 +273,11 @@ func (s *Service) matchRepositoryGeneric(stream MatchRepositoryStream) error {
 		return fmt.Errorf("match repository error receiving stream: %w", err)
 	}
 
-	isSupported, err := s.matchRepository(bufferedCtx, workDir, metadata.GetEnv())
+	isSupported, isDiscoveryEnabled, err := s.matchRepository(bufferedCtx, workDir, metadata.GetEnv())
 	if err != nil {
 		return fmt.Errorf("match repository error: %w", err)
 	}
-	repoResponse := &apiclient.RepositoryResponse{IsSupported: isSupported}
+	repoResponse := &apiclient.RepositoryResponse{IsSupported: isSupported, IsDiscoveryEnabled: isDiscoveryEnabled}
 
 	err = stream.SendAndClose(repoResponse)
 	if err != nil {
@@ -286,8 +286,9 @@ func (s *Service) matchRepositoryGeneric(stream MatchRepositoryStream) error {
 	return nil
 }
 
-func (s *Service) matchRepository(ctx context.Context, workdir string, envEntries []*apiclient.EnvEntry) (bool, error) {
+func (s *Service) matchRepository(ctx context.Context, workdir string, envEntries []*apiclient.EnvEntry) (isSupported bool, isDiscoveryEnabled bool, err error) {
 	config := s.initConstants.PluginConfig
+
 	if config.Spec.Discover.FileName != "" {
 		log.Debugf("config.Spec.Discover.FileName is provided")
 		pattern := filepath.Join(workdir, config.Spec.Discover.FileName)
@@ -295,9 +296,9 @@ func (s *Service) matchRepository(ctx context.Context, workdir string, envEntrie
 		if err != nil {
 			e := fmt.Errorf("error finding filename match for pattern %q: %w", pattern, err)
 			log.Debug(e)
-			return false, e
+			return false, true, e
 		}
-		return len(matches) > 0, nil
+		return len(matches) > 0, true, nil
 	}
 
 	if config.Spec.Discover.Find.Glob != "" {
@@ -309,27 +310,23 @@ func (s *Service) matchRepository(ctx context.Context, workdir string, envEntrie
 		if err != nil {
 			e := fmt.Errorf("error finding glob match for pattern %q: %w", pattern, err)
 			log.Debug(e)
-			return false, e
+			return false, true, e
 		}
 
-		if len(matches) > 0 {
-			return true, nil
+		return len(matches) > 0, true, nil
+	}
+
+	if len(config.Spec.Discover.Find.Command.Command) > 0 {
+		log.Debugf("Going to try runCommand.")
+		env := append(os.Environ(), environ(envEntries)...)
+		find, err := runCommand(ctx, config.Spec.Discover.Find.Command, workdir, env)
+		if err != nil {
+			return false, true, fmt.Errorf("error running find command: %w", err)
 		}
-		return false, nil
+		return find != "", true, nil
 	}
 
-	log.Debugf("Going to try runCommand.")
-	env := append(os.Environ(), environ(envEntries)...)
-
-	find, err := runCommand(ctx, config.Spec.Discover.Find.Command, workdir, env)
-	if err != nil {
-		return false, fmt.Errorf("error running find command: %w", err)
-	}
-
-	if find != "" {
-		return true, nil
-	}
-	return false, nil
+	return false, false, nil
 }
 
 // ParametersAnnouncementStream defines an interface able to send/receive a stream of parameter announcements.

cmpserver/plugin/plugin.proto

@@ -44,6 +44,7 @@ message ManifestResponse {
 
 message RepositoryResponse {
     bool isSupported = 1;
+    bool isDiscoveryEnabled = 2;
 }
 
 // ParametersAnnouncementResponse contains a list of announcements. This list represents all the parameters which a CMP

cmpserver/plugin/plugin_test.go

@@ -99,11 +99,12 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
 		assert.True(t, match)
+		assert.True(t, discovery)
 	})
 	t.Run("will not match plugin by filename if file not found", func(t *testing.T) {
 		// given
@@ -113,11 +114,12 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
 		assert.False(t, match)
+		assert.True(t, discovery)
 	})
 	t.Run("will not match a pattern with a syntax error", func(t *testing.T) {
 		// given
@@ -127,7 +129,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		_, err := f.service.matchRepository(context.Background(), f.path, f.env)
+		_, _, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.ErrorContains(t, err, "syntax error")
@@ -142,11 +144,12 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
 		assert.True(t, match)
+		assert.True(t, discovery)
 	})
 	t.Run("will not match plugin by glob if not found", func(t *testing.T) {
 		// given
@@ -158,11 +161,12 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
 		assert.False(t, match)
+		assert.True(t, discovery)
 	})
 	t.Run("will throw an error for a bad pattern", func(t *testing.T) {
 		// given
@@ -174,7 +178,7 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		_, err := f.service.matchRepository(context.Background(), f.path, f.env)
+		_, _, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.ErrorContains(t, err, "error finding glob match for pattern")
@@ -191,11 +195,12 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
 		assert.True(t, match)
+		assert.True(t, discovery)
 	})
 	t.Run("will not match plugin by command when returns no output", func(t *testing.T) {
 		// given
@@ -209,11 +214,11 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
-
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
 		// then
 		assert.NoError(t, err)
 		assert.False(t, match)
+		assert.True(t, discovery)
 	})
 	t.Run("will match plugin because env var defined", func(t *testing.T) {
 		// given
@@ -227,11 +232,12 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
 		assert.True(t, match)
+		assert.True(t, discovery)
 	})
 	t.Run("will not match plugin because no env var defined", func(t *testing.T) {
 		// given
@@ -246,11 +252,12 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.NoError(t, err)
 		assert.False(t, match)
+		assert.True(t, discovery)
 	})
 	t.Run("will not match plugin by command when command fails", func(t *testing.T) {
 		// given
@@ -264,11 +271,25 @@ func TestMatchRepository(t *testing.T) {
 		f := setup(t, withDiscover(d))
 
 		// when
-		match, err := f.service.matchRepository(context.Background(), f.path, f.env)
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
 
 		// then
 		assert.Error(t, err)
 		assert.False(t, match)
+		assert.True(t, discovery)
+	})
+	t.Run("will not match plugin as discovery is not set", func(t *testing.T) {
+		// given
+		d := Discover{}
+		f := setup(t, withDiscover(d))
+
+		// when
+		match, discovery, err := f.service.matchRepository(context.Background(), f.path, f.env)
+
+		// then
+		assert.NoError(t, err)
+		assert.False(t, match)
+		assert.False(t, discovery)
 	})
 }
 

common/common.go

@@ -1,6 +1,7 @@
 package common
 
 import (
+	"errors"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -316,3 +317,8 @@ const (
 	SecurityMedium    = 2 // Could indicate malicious events, but has a high likelihood of being user/system error (i.e. access denied)
 	SecurityLow       = 1 // Unexceptional entries (i.e. successful access logs)
 )
+
+// Common error messages
+const TokenVerificationError = "failed to verify the token"
+
+var TokenVerificationErr = errors.New(TokenVerificationError)

controller/appcontroller.go

@@ -335,7 +335,7 @@ func (ctrl *ApplicationController) handleObjectUpdated(managedByApp map[string]b
 		}
 
 		if !ctrl.canProcessApp(obj) {
-			// Don't force refresh app if app belongs to a different controller shard
+			// Don't force refresh app if app belongs to a different controller shard or is outside the allowed namespaces.
 			continue
 		}
 
@@ -417,7 +417,7 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 	nodes := make([]appv1.ResourceNode, 0)
 	proj, err := ctrl.getAppProj(a)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to get project: %w", err)
 	}
 
 	orphanedNodesMap := make(map[kube.ResourceKey]appv1.ResourceNode)
@@ -425,7 +425,7 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 	if proj.Spec.OrphanedResources != nil {
 		orphanedNodesMap, err = ctrl.stateCache.GetNamespaceTopLevelResources(a.Spec.Destination.Server, a.Spec.Destination.Namespace)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to get namespace top-level resources: %w", err)
 		}
 		warnOrphaned = proj.Spec.OrphanedResources.IsWarn()
 	}
@@ -435,12 +435,12 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 		var live = &unstructured.Unstructured{}
 		err := json.Unmarshal([]byte(managedResource.LiveState), &live)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to unmarshal live state of managed resources: %w", err)
 		}
 		var target = &unstructured.Unstructured{}
 		err = json.Unmarshal([]byte(managedResource.TargetState), &target)
 		if err != nil {
-			return nil, err
+			return nil, fmt.Errorf("failed to unmarshal target state of managed resources: %w", err)
 		}
 
 		if live == nil {
@@ -456,7 +456,11 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 		} else {
 			err := ctrl.stateCache.IterateHierarchy(a.Spec.Destination.Server, kube.GetResourceKey(live), func(child appv1.ResourceNode, appName string) bool {
 				permitted, _ := proj.IsResourcePermitted(schema.GroupKind{Group: child.ResourceRef.Group, Kind: child.ResourceRef.Kind}, child.Namespace, a.Spec.Destination, func(project string) ([]*appv1.Cluster, error) {
-					return ctrl.db.GetProjectClusters(context.TODO(), project)
+					clusters, err := ctrl.db.GetProjectClusters(context.TODO(), project)
+					if err != nil {
+						return nil, fmt.Errorf("failed to get project clusters: %w", err)
+					}
+					return clusters, nil
 				})
 				if !permitted {
 					return false
@@ -465,7 +469,7 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 				return true
 			})
 			if err != nil {
-				return nil, err
+				return nil, fmt.Errorf("failed to iterate resource hierarchy: %w", err)
 			}
 		}
 	}
@@ -514,7 +518,7 @@ func (ctrl *ApplicationController) getResourceTree(a *appv1.Application, managed
 
 	hosts, err := ctrl.getAppHosts(a, nodes)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("failed to get app hosts: %w", err)
 	}
 	return &appv1.ApplicationTree{Nodes: nodes, OrphanedNodes: orphanedNodes, Hosts: hosts}, nil
 }
@@ -1356,7 +1360,7 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 		} else {
 			var tree *appv1.ApplicationTree
 			if tree, err = ctrl.getResourceTree(app, managedResources); err == nil {
-				app.Status.Summary = tree.GetSummary()
+				app.Status.Summary = tree.GetSummary(app)
 				if err := ctrl.cache.SetAppResourcesTree(app.InstanceName(ctrl.namespace), tree); err != nil {
 					logCtx.Errorf("Failed to cache resources tree: %v", err)
 					return
@@ -1430,7 +1434,7 @@ func (ctrl *ApplicationController) processAppRefreshQueueItem() (processNext boo
 	if err != nil {
 		logCtx.Errorf("Failed to cache app resources: %v", err)
 	} else {
-		app.Status.Summary = tree.GetSummary()
+		app.Status.Summary = tree.GetSummary(app)
 	}
 
 	if project.Spec.SyncWindows.Matches(app).CanSync(false) {
@@ -1773,6 +1777,13 @@ func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {
 	if !ok {
 		return false
 	}
+
+	// Only process given app if it exists in a watched namespace, or in the
+	// control plane's namespace.
+	if app.Namespace != ctrl.namespace && !glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false) {
+		return false
+	}
+
 	if ctrl.clusterFilter != nil {
 		cluster, err := ctrl.db.GetCluster(context.Background(), app.Spec.Destination.Server)
 		if err != nil {
@@ -1781,12 +1792,6 @@ func (ctrl *ApplicationController) canProcessApp(obj interface{}) bool {
 		return ctrl.clusterFilter(cluster)
 	}
 
-	// Only process given app if it exists in a watched namespace, or in the
-	// control plane's namespace.
-	if app.Namespace != ctrl.namespace && !glob.MatchStringInList(ctrl.applicationNamespaces, app.Namespace, false) {
-		return false
-	}
-
 	return true
 }
 

controller/appcontroller_test.go

@@ -1373,3 +1373,31 @@ func TestToAppKey(t *testing.T) {
 		})
 	}
 }
+
+func Test_canProcessApp(t *testing.T) {
+	app := newFakeApp()
+	ctrl := newFakeController(&fakeData{apps: []runtime.Object{app}})
+	ctrl.applicationNamespaces = []string{"good"}
+	t.Run("without cluster filter, good namespace", func(t *testing.T) {
+		app.Namespace = "good"
+		canProcess := ctrl.canProcessApp(app)
+		assert.True(t, canProcess)
+	})
+	t.Run("without cluster filter, bad namespace", func(t *testing.T) {
+		app.Namespace = "bad"
+		canProcess := ctrl.canProcessApp(app)
+		assert.False(t, canProcess)
+	})
+	t.Run("with cluster filter, good namespace", func(t *testing.T) {
+		app.Namespace = "good"
+		ctrl.clusterFilter = func(_ *argoappv1.Cluster) bool { return true }
+		canProcess := ctrl.canProcessApp(app)
+		assert.True(t, canProcess)
+	})
+	t.Run("with cluster filter, bad namespace", func(t *testing.T) {
+		app.Namespace = "bad"
+		ctrl.clusterFilter = func(_ *argoappv1.Cluster) bool { return true }
+		canProcess := ctrl.canProcessApp(app)
+		assert.False(t, canProcess)
+	})
+}

controller/cache/cache.go

@@ -220,10 +220,10 @@ func asResourceNode(r *clustercache.Resource) appv1.ResourceNode {
 		gv = schema.GroupVersion{}
 	}
 	parentRefs := make([]appv1.ResourceRef, len(r.OwnerRefs))
-	for _, ownerRef := range r.OwnerRefs {
+	for i, ownerRef := range r.OwnerRefs {
 		ownerGvk := schema.FromAPIVersionAndKind(ownerRef.APIVersion, ownerRef.Kind)
 		ownerKey := kube.NewResourceKey(ownerGvk.Group, ownerRef.Kind, r.Ref.Namespace, ownerRef.Name)
-		parentRefs[0] = appv1.ResourceRef{Name: ownerRef.Name, Kind: ownerKey.Kind, Namespace: r.Ref.Namespace, Group: ownerKey.Group, UID: string(ownerRef.UID)}
+		parentRefs[i] = appv1.ResourceRef{Name: ownerRef.Name, Kind: ownerKey.Kind, Namespace: r.Ref.Namespace, Group: ownerKey.Group, UID: string(ownerRef.UID)}
 	}
 	var resHealth *appv1.HealthStatus
 	resourceInfo := resInfo(r)

controller/cache/cache_test.go

@@ -6,10 +6,11 @@ import (
 	"net/url"
 	"testing"
 
-	apierr "k8s.io/apimachinery/pkg/api/errors"
-	"k8s.io/apimachinery/pkg/runtime/schema"
-
 	"github.com/stretchr/testify/assert"
+	"k8s.io/api/core/v1"
+	apierr "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 
 	"github.com/argoproj/gitops-engine/pkg/cache"
 	"github.com/argoproj/gitops-engine/pkg/cache/mocks"
@@ -153,3 +154,51 @@ func TestIsRetryableError(t *testing.T) {
 		assert.True(t, isRetryableError(connectionReset))
 	})
 }
+
+func Test_asResourceNode_owner_refs(t *testing.T) {
+	resNode := asResourceNode(&cache.Resource{
+		ResourceVersion: "",
+		Ref: v1.ObjectReference{
+			APIVersion: "v1",
+		},
+		OwnerRefs: []metav1.OwnerReference{
+			{
+				APIVersion: "v1",
+				Kind:       "ConfigMap",
+				Name:       "cm-1",
+			},
+			{
+				APIVersion: "v1",
+				Kind:       "ConfigMap",
+				Name:       "cm-2",
+			},
+		},
+		CreationTimestamp: nil,
+		Info:              nil,
+		Resource:          nil,
+	})
+	expected := appv1.ResourceNode{
+		ResourceRef: appv1.ResourceRef{
+			Version: "v1",
+		},
+		ParentRefs: []appv1.ResourceRef{
+			{
+				Group: "",
+				Kind:  "ConfigMap",
+				Name:  "cm-1",
+			},
+			{
+				Group: "",
+				Kind:  "ConfigMap",
+				Name:  "cm-2",
+			},
+		},
+		Info:            nil,
+		NetworkingInfo:  nil,
+		ResourceVersion: "",
+		Images:          nil,
+		Health:          nil,
+		CreatedAt:       nil,
+	}
+	assert.Equal(t, expected, resNode)
+}

docs/cli_installation.md

@@ -39,6 +39,31 @@ rm argocd-linux-amd64
 
 You should now be able to run `argocd` commands.
 
+
+## Mac (M1)
+
+### Download With Curl
+
+You can view the latest version of Argo CD at the link above or run the following command to grab the version:
+
+```bash
+VERSION=$(curl --silent "https://api.github.com/repos/argoproj/argo-cd/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^"]+)".*/\1/')
+```
+
+Replace `VERSION` in the command below with the version of Argo CD you would like to download:
+
+```bash
+curl -sSL -o argocd-darwin-arm64 https://github.com/argoproj/argo-cd/releases/download/$VERSION/argocd-darwin-arm64
+```
+
+Install the Argo CD CLI binary:
+
+```bash
+sudo install -m 555 argocd-darwin-arm64 /usr/local/bin/argocd
+rm argocd-darwin-arm64
+```
+
+
 ## Mac
 
 ### Homebrew

docs/developer-guide/architecture/authz-authn.md

@@ -0,0 +1,109 @@
+# Authentication and Authorization
+
+This document describes how authentication (authn) and authorization
+(authz) are implemented in Argo CD. There is a clear distinction in
+the code base of when and how these two security concepts are
+enforced.
+
+## Logical layers
+
+The diagram bellow suggests 4 different logical layers (represented by
+4 boxes: HTTP, gRPC, AuthN and AuthZ) inside Argo CD API server that
+collaborate to provide authentication and authorization. 
+
+- **HTTP**: The HTTP layer groups the *logical elements* that
+  collaborate to handle HTTP requests. Every incoming request reaches
+  the same HTTP server at the same port (8080). This server will
+  analyze the request headers and dispatch to the proper internal
+  server: gRPC or standard HTTP.
+
+- **gRPC**: The [gRPC][4] layer groups the logical elements responsible for
+  the gRPC implementation.
+
+- **AuthN**: The AuthN represents the layer responsible for
+  authentication.
+
+- **AuthZ**: The AuthZ represents the layer responsible for
+  authorization.
+
+![Argo CD Architecture](../../assets/argocd-arch-authn-authz.jpg)
+
+## Logical elements
+
+The logical elements (identified by numbers) can represent an object,
+a function or a component in the code base. Note that this particular
+distinction is not represented in the diagram.
+
+Incoming requests can reach Argo CD API server from the web UI as well
+as from the `argocd` CLI. The responsibility of the represented
+elements are described below with their respective numbers:
+
+1. **Cmux**: Uses the [cmux][1] library to provide a connection
+   multiplexer capability making it possible to use the same port to
+   handle standard HTTP as well as gRPC requests. It is responsible
+   for inspecting incoming requests and dispatch to appropriate
+   internal servers. If the request version is `http1.x` it will
+   delegate to the *http mux*. If the request version is `http2` and
+   has the header `content-type: application/grpc`, it will delegate
+   to the *gRPC Server*.
+
+1. **HTTP mux**: A [standard HTTP multiplexer][8] that will handle non
+   gRPC requests. It is responsible for serving a unified [REST
+   API][3] to the web UI exposing all gRPC and non-gRPC services.
+
+1. **gRPC-gateway**: Uses the [grpc-gateway][2] library to translate
+   internal gRPC services and expose them as a [REST API][3]. The
+   great majority of API services in Argo CD are implemented in gRPC.
+   The grpc-gateway makes it possible to access gRPC services from the
+   web UI.
+
+1. **Server**: The internal gRPC Server responsible for handling gRPC
+   requests.
+
+1. **AuthN**: Is responsible for invoking the authentication logic. It
+   is registered as a gRPC interceptor which will automatically
+   trigger for every gRPC request.
+
+1. **Session Manager**: Is the object responsible for managing Argo CD
+   API server session. It provides the functionality to verify the
+   validity of the authentication token provided in the request.
+   Depending on how Argo CD is configured it may or may not delegate
+   to an external AuthN provider to verify the token.
+
+1. **AuthN Provider**: Describes the component that can be plugged in
+   Argo CD API server to provide the authentication functionality such
+   as the login and the token verification process.
+
+1. **Service Method**: represents the method implementing the business
+   logic (core functionality) requested. An example of business logic
+   is: `List Applications`. Service methods are also responsible for
+   invoking the [RBAC][7] enforcement function to validate if the
+   authenticated user has permission to execute this method.
+
+1. **RBAC**: Is a collection of functions to provide the capability to
+   verify if the user has permission to execute a specific action in
+   Argo CD. It does so by validating the incoming request action
+   against predefined [RBAC][7] rules that can be configured in Argo CD
+   API server as well as in Argo CD `Project` CRD.
+
+1. **Casbin**: Uses the [Casbin][5] library to enforce [RBAC][7] rules.
+
+1. **AuthN Middleware**: Is an [HTTP Middleware][6] configured to
+   invoke the logic to verify the token for HTTP services that are not
+   implemented as gRPC and requires authentication.
+
+1. **HTTP Handler**: represents the http handlers responsible for
+   invoking the business logic (core functionality) requested. An
+   example of business logic is: `List Applications`. Http handlers
+   are also responsible for invoking the [RBAC][7] enforcement function to
+   validate if the authenticated user has permission to execute this
+   business logic.
+
+[1]: https://github.com/soheilhy/cmux
+[2]: https://github.com/grpc-ecosystem/grpc-gateway
+[3]: https://en.wikipedia.org/wiki/Representational_state_transfer
+[4]: https://grpc.io/
+[5]: https://casbin.org/
+[6]: https://github.com/golang/go/wiki/LearnServerProgramming#middleware
+[7]: https://en.wikipedia.org/wiki/Role-based_access_control
+[8]: https://pkg.go.dev/net/http#ServeMux

docs/developer-guide/release-process-and-cadence.md

@@ -1,49 +1,78 @@
 # Release Process And Cadence
 
-Argo CD is being developed using the following process:
+## Release Cycle
 
-* Maintainers commit to work on set of features and enhancements and create GitHub milestone to track the work.
-* We are trying to avoid delaying release and prefer moving the feature into the next release if we cannot complete it on time.
-* The new release is published every **3 months**.
-* Critical bug-fixes are cherry-picked into the release branch and delivered using patch releases as frequently as needed.
+### Schedule
 
-## Release Planning
+These are the upcoming releases dates:
 
-We are using GitHub milestones to perform release planning and tracking. Each release milestone includes two type of issues:
+| Release | Release Planning Meeting | Release Candidate 1   | General Availability | Release Champion                                      | Checklist                                                     |
+|---------|--------------------------|-----------------------|----------------------|-------------------------------------------------------|---------------------------------------------------------------|
+| v2.6    | Monday, Dec. 12, 2022    | Monday, Dec. 19, 2022 | Monday, Feb. 6, 2023 | [William Tam](https://github.com/wtam2018)            | [checklist](https://github.com/argoproj/argo-cd/issues/11563) |
+| v2.7    | Monday, Mar. 6, 2023     | Monday, Mar. 20, 2023 | Monday, May. 1, 2023 | [Pavel Kostohrys](https://github.com/pasha-codefresh) |
+| v2.8    | Monday, Jun. 5, 2023     | Monday, Jun. 19, 2023 | Monday, Aug. 7, 2023 | [Keith Chong](https://github.keithchong)
+| v2.9    | Monday, Sep. 4, 2023     | Monday, Sep. 18, 2023 | Monday, Nov. 6, 2023 |
 
-* Issues that maintainers committed to working on. Maintainers decide which features they are committing to work on during the next release based on
-  their availability. Typically issues added offline by each maintainer and finalized during the contributors' meeting. Each such issue should be
-  assigned to maintainer who plans to implement and test it.
-* Nice to have improvements contributed by community contributors. Nice to have issues are typically not critical, smallish enhancements that could
-  be contributed by community contributors. Maintainers are not committing to implement them but committing to review PR from the community.
+Actual release dates might differ from the plan by a few days.
 
-The milestone should have a clear description of the most important features as well as the expected end date. This should provide clarity to end-users
-about what to expect from the next release and when.
+### Release Process
 
-In addition to the next milestone, we need to maintain a draft of the upcoming release milestone. 
+#### Minor Releases (e.g. 2.x.0)
 
-## Community Contributions
+A minor Argo CD release occurs four times a year, once every three months. Each General Availability (GA) release is
+preceded by several Release Candidates (RCs). The first RC is released three weeks before the scheduled GA date. This
+effectively means that there is a three-week feature freeze.
 
-We receive a lot of contributions from our awesome community, and we're very grateful for that fact. However, reviewing and testing PRs is a lot of (unplanned) work and therefore, we cannot guarantee that contributions (especially large or complex ones) made by the community receive a timely review within a release's time frame. Maintainers may decide on their own to put work on a PR together with the contributor and in this case, the maintainer will self-assigned the PR and thereby committing to review, eventually merge and later test it on the release scope.
+These are the approximate release dates:
 
-## Release Testing
+* The first Monday of February
+* The first Monday of May
+* The first Monday of August
+* The first Monday of November
 
-We need to make sure that each change, both from maintainers and community contributors, is tested well and have someone who is going to fix last-minute
-bugs. In order to ensure it, each merged pull request must have an assigned maintainer before it gets merged. The assigned maintainer will be working on
-testing the introduced changes and fixing of any introduced bugs.
+Dates may be shifted slightly to accommodate holidays. Those shifts should be minimal.
 
-We have a code freeze period two weeks before the release until the release branch is created. During code freeze no feature PR should be merged and it is ok
-to merge bug fixes.
+#### Patch Releases (e.g. 2.5.x)
 
-Maintainers assigned to a PR that's been merged should drive testing and work on fixing last-minute issues. For tracking purposes after verifying PR the assigned
-the maintainer should label it with a `verified` label.
+Argo CD patch releases occur on an as-needed basis. Only the three most recent minor versions are eligible for patch
+releases. Versions older than the three most recent minor versions are considered EOL and will not receive bug fixes or
+security updates.
 
-## Releasing
+#### Minor Release Planning Meeting
 
-The releasing procedure is described in [releasing](./releasing.md) document. Before closing the release milestone following should be verified:
+Roughly two weeks before the RC date, there will be a meeting to discuss which features are planned for the RC. This meeting is
+for contributors to advocate for certain features. Features which have at least one approver (besides the contributor)
+who can assure they will review/merge by the RC date will be included in the release milestone. All other features will
+be dropped from the milestone (and potentially shifted to the next one).
 
-- [ ] All merged PRs and verified (verify and remove `needs-verification` label):
-- [ ] Triage issues reported by `yarn audit` and ensure there are no exploitable security issues.
-- [ ] Roadmap is updated based one current release changes
-- [ ] Next release milestone is created
-- [ ] Upcoming release milestone is updated
+Since not everyone will be able to attend the meeting, there will be a meeting doc. Contributors can add their feature
+to a table, and Approvers can add their name to the table. Features with a corresponding approver will remain in the
+release milestone.
+
+#### Release Champion
+
+To help manage all the steps involved in a release, we will have a Release Champion. The Release Champion will be
+responsible for a checklist of items for their release. The checklist is an issue template in the Argo CD repository.
+
+The Release Champion can be anyone in the Argo CD community. Some tasks (like cherry-picking bug fixes and cutting
+releases) require [Approver](https://github.com/argoproj/argoproj/blob/master/community/membership.md#community-membership)
+membership. The Release Champion can delegate tasks when necessary and will be responsible for coordinating with the
+Approver.
+
+### Feature Acceptance Criteria
+
+To be eligible for inclusion in a minor release, a new feature must meet the following criteria before the release’s RC
+date.
+
+If it is a large feature that involves significant design decisions, that feature must be described in a Proposal, and
+that Proposal must be reviewed and merged.
+
+The feature PR must include:
+
+* Tests (passing)
+* Documentation
+* If necessary, a note in the Upgrading docs for the planned minor release
+* The PR must be reviewed, approved, and merged by an Approver.
+
+If these criteria are not met by the RC date, the feature will be ineligible for inclusion in the RC series or GA for
+that minor release. It will have to wait for the next minor release.

docs/developer-guide/toolchain-guide.md

@@ -117,6 +117,27 @@ The Docker container for the virtualized toolchain will use the following local
 
 The following steps are required no matter whether you chose to use a virtualized or a local toolchain.
 
+!!!note "Docker privileges"
+    If you opt in to use the virtualized toolchain, you will need to have the
+    appropriate privileges to interact with the Docker daemon. It is not
+    recommended to work as the root user, and if your user does not have the
+    permissions to talk to the Docker user, but you have `sudo` setup on your
+    system, you can set the environment variable `SUDO` to `sudo` in order to
+    have the build scripts make any calls to the `docker` CLI using sudo,
+    without affecting the other parts of the build scripts (which should be
+    executed with your normal user privileges).
+
+    You can either set this before calling `make`, like so for example:
+
+    ```
+    SUDO=sudo make sometarget
+    ```
+
+    Or you can opt to export this permanently to your environment, for example
+    ```
+    export SUDO=sudo
+    ```
+
 ### Clone the Argo CD repository from your personal fork on GitHub
 
 * `mkdir -p ~/go/src/github.com/argoproj`

docs/operator-manual/application.yaml

@@ -142,7 +142,10 @@ spec:
 
   # Destination cluster and namespace to deploy the application
   destination:
+    # cluster API URL
     server: https://kubernetes.default.svc
+    # or cluster name
+    # name: in-cluster
     # The namespace will only be set for namespace-scoped resources that have not set a value for .metadata.namespace
     namespace: guestbook
 

docs/operator-manual/applicationset.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: test-hello-world-appset
+  namespace: argocd
+spec:
+  # See docs for available generators and their specs.
+  generators:
+  - list:
+      elements:
+      - cluster: https://kubernetes.default.svc
+  # Determines whether go templating will be used in the `template` field below.
+  goTemplate: false
+  # These fields are identical to the Application spec.
+  template:
+    metadata:
+      name: test-hello-world-app
+    spec:
+      project: my-project
+  # This sync policy pertains to the ApplicationSet, not to the Applications it creates.
+  syncPolicy:
+    # Determines whether the controller will delete Applications when an ApplicationSet is deleted.
+    preserveResourcesOnDeletion: false
+  # Alpha feature to determine the order in which ApplicationSet applies changes.
+  strategy:

docs/operator-manual/applicationset/Generators-Pull-Request.md

@@ -60,7 +60,7 @@ spec:
 * `repo`: Required name of the GitHub repository.
 * `api`: If using GitHub Enterprise, the URL to access it. (Optional)
 * `tokenRef`: A `Secret` name and key containing the GitHub access token to use for requests. If not specified, will make anonymous requests which have a lower rate limit and can only see public repositories. (Optional)
-* `labels`: Labels is used to filter the PRs that you want to target. (Optional)
+* `labels`: Filter the PRs to those containing **all** of the labels listed. (Optional)
 * `appSecretName`: A `Secret` name containing a GitHub App secret in [repo-creds format][repo-creds].
 
 [repo-creds]: ../declarative-setup.md#repository-credentials

docs/operator-manual/applicationset/Progressive-Syncs.md

@@ -1,20 +1,21 @@
-# Progressive Rollouts
+# Progressive Syncs
 
 !!! warning "Alpha Feature"
     This is an experimental, alpha-quality feature that allows you to control the order in which the ApplicationSet controller will create or update the Applications owned by an ApplicationSet resource. It may be removed in future releases or modified in backwards-incompatible ways.
 
 ## Use Cases
-The Progressive Rollouts feature set is intended to be light and flexible. The feature only interacts with the health of managed Applications. It is not intended to support direct integrations with other Rollout controllers (such as the native ReplicaSet controller or Argo Rollouts).
+The Progressive Syncs feature set is intended to be light and flexible. The feature only interacts with the health of managed Applications. It is not intended to support direct integrations with other Rollout controllers (such as the native ReplicaSet controller or Argo Rollouts).
 
-* Progressive Rollouts watch for the managed Application resources to become "Healthy" before proceeding to the next stage.
+* Progressive Syncs watch for the managed Application resources to become "Healthy" before proceeding to the next stage.
 * Deployments, DaemonSets, StatefulSets, and [Argo Rollouts](https://argoproj.github.io/argo-rollouts/) are all supported, because the Application enters a "Progressing" state while pods are being rolled out. In fact, any resource with a health check that can report a "Progressing" status is supported.
 * [Argo CD Resource Hooks](../../user-guide/resource_hooks.md) are supported. We recommend this approach for users that need advanced functionality when an Argo Rollout cannot be used, such as smoke testing after a DaemonSet change.
 
-## Enabling Progressive Rollouts
-As an experimental feature, progressive rollouts must be explicitly enabled, in one of these ways.
-1. Pass `--enable-progressive-rollouts` to the ApplicationSet controller args.
-1. Set `ARGOCD_APPLICATIONSET_ENABLE_PROGRESSIVE_ROLLOUTS=true` in the ApplicationSet controller environment variables.
-1. Set `applicationsetcontroller.enable.progressive.rollouts: true` in the ArgoCD ConfigMap.
+## Enabling Progressive Syncs
+As an experimental feature, progressive syncs must be explicitly enabled, in one of these ways.
+
+1. Pass `--enable-progressive-syncs` to the ApplicationSet controller args.
+1. Set `ARGOCD_APPLICATIONSET_CONTROLLER_ENABLE_PROGRESSIVE_SYNCS=true` in the ApplicationSet controller environment variables.
+1. Set `applicationsetcontroller.enable.progressive.syncs: true` in the Argo CD ConfigMap.
 
 ## Strategies
 
@@ -30,7 +31,7 @@ All Applications managed by the ApplicationSet resource are updated simultaneous
 This update strategy allows you to group Applications by labels present on the generated Application resources.
 When the ApplicationSet changes, the changes will be applied to each group of Application resources sequentially.
 
-* Application groups are selected by `matchExpressions`.
+* Application groups are selected using their labels and `matchExpressions`.
 * All `matchExpressions` must be true for an Application to be selected (multiple expressions match with AND behavior).
 * The `In` and `NotIn` operators must match at least one value to be considered true (OR behavior).
 * The `NotIn` operatorn has priority in the event that both a `NotIn` and `In` operator produce a match.
@@ -43,9 +44,10 @@ When the ApplicationSet changes, the changes will be applied to each group of Ap
 * If an Application is considered "Pending" for `applicationsetcontroller.default.application.progressing.timeout` seconds, the Application is automatically moved to Healthy status (default 300).
 
 #### Example
-The following example illustrates how to stage a progressive rollout over Applications with explicitly configured environment labels.
+The following example illustrates how to stage a progressive sync over Applications with explicitly configured environment labels.
 
 Once a change is pushed, the following will happen in order.
+
 * All `env-dev` Applications will be updated simultaneously.
 * The rollout will wait for all `env-qa` Applications to be manually synced via the `argocd` CLI or by clicking the Sync button in the UI.
 * 10% of all `env-prod` Applications will be updated at a time until all `env-prod` Applications have been updated.
@@ -74,19 +76,19 @@ spec:
     rollingSync:
       steps:
         - matchExpressions:
-            - key: env
+            - key: envLabel
               operator: In
               values:
                 - env-dev
           #maxUpdate: 100%  # if undefined, all applications matched are updated together (default is 100%)
         - matchExpressions:
-            - key: env
+            - key: envLabel
               operator: In
               values:
                 - env-qa
           maxUpdate: 0      # if 0, no matched applications will be updated
         - matchExpressions:
-            - key: env
+            - key: envLabel
               operator: In
               values:
                 - env-prod
@@ -96,7 +98,7 @@ spec:
     metadata:
       name: '{{.cluster}}-guestbook'
       labels:
-        env: '{{.env}}'
+        envLabel: '{{.env}}'
     spec:
       project: my-project
       source:

docs/operator-manual/argocd-cm.yaml

@@ -47,7 +47,7 @@ data:
   help.download.windows-amd64: "path-or-url-to-download"
 
   # A dex connector configuration (optional). See SSO configuration documentation:
-  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/sso
+  # https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/user-management/index.md#sso
   # https://dexidp.io/docs/connectors/
   dex.config: |
     connectors:
@@ -330,4 +330,4 @@ data:
   resource.links: |
     - url: https://mycompany.splunk.com?search={{.metadata.namespace}}
       title: Splunk
-      if: kind == "Pod" || kind == "Deployment"
+      if: kind == "Pod" || kind == "Deployment"

docs/operator-manual/argocd-cmd-params-cm.yaml

@@ -164,5 +164,5 @@ data:
   applicationsetcontroller.dryrun: "false"
   # Enable git submodule support
   applicationsetcontroller.enable.git.submodule: "true"
-  # Enables use of the Progressive Rollouts capability
-  applicationsetcontroller.enable.progressive.rollouts: "false"
+  # Enables use of the Progressive Syncs capability
+  applicationsetcontroller.enable.progressive.syncs: "false"

docs/operator-manual/argocd-repositories.yaml

@@ -4,18 +4,33 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: my-private-repo
+  name: my-private-https-repo
   namespace: argocd
   labels:
     argocd.argoproj.io/secret-type: repository
 stringData:
-  url: https://github.com/argoproj/my-private-repository
+  url: https://github.com/argoproj/argocd-example-apps
   password: my-password
   username: my-username
+  insecure: "true" # Ignore validity of server's TLS certificate. Defaults to "false"
+  forceHttpBasicAuth: "true" # Skip auth method negotiation and force usage of HTTP basic auth. Defaults to "false"
+  enableLfs: "true" # Enable git-lfs for this repository. Defaults to "false"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: my-private-ssh-repo
+  namespace: argocd
+  labels:
+    argocd.argoproj.io/secret-type: repository
+stringData:
+  url: ssh://git@github.com/argoproj/argocd-example-apps
   sshPrivateKey: |
     -----BEGIN OPENSSH PRIVATE KEY-----
     ...
     -----END OPENSSH PRIVATE KEY-----
+  insecure: "true" # Do not perform a host key check for the server. Defaults to "false"
+  enableLfs: "true" # Enable git-lfs for this repository. Defaults to "false"
 ---
 apiVersion: v1
 kind: Secret

docs/operator-manual/config-management-plugins.md

@@ -26,14 +26,14 @@ There are two ways to install a Config Management Plugin:
 2. Add the plugin as a sidecar to the repo-server Pod.
    This is a good option for a more complex plugin that would clutter the Argo CD ConfigMap. A copy of the repository is 
    sent to the sidecar container as a tarball and processed individually per application, which makes it a good option 
-   for [concurrent processing of monorepos](../operator-manual/high_availability.md#enable-concurrent-processing).
+   for [concurrent processing of monorepos](high_availability.md#enable-concurrent-processing).
 
 ### Option 1: Configure plugins via Argo CD configmap (deprecated)
 
 The following changes are required to configure a new plugin:
 
 1. Make sure required binaries are available in `argocd-repo-server` pod. The binaries can be added via volume mounts or 
-   using a custom image (see [custom_tools](../operator-manual/custom_tools.md) for examples of both).
+   using a custom image (see [custom_tools](custom_tools.md) for examples of both).
 2. Register a new plugin in `argocd-cm` ConfigMap:
 
         :::yaml
@@ -92,7 +92,8 @@ spec:
       - |
         echo "{\"kind\": \"ConfigMap\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"$ARGOCD_APP_NAME\", \"namespace\": \"$ARGOCD_APP_NAMESPACE\", \"annotations\": {\"Foo\": \"$ARGOCD_ENV_FOO\", \"KubeVersion\": \"$KUBE_VERSION\", \"KubeApiVersion\": \"$KUBE_API_VERSIONS\",\"Bar\": \"baz\"}}}"
   # The discovery config is applied to a repository. If every configured discovery tool matches, then the plugin may be
-  # used to generate manifests for Applications using the repository. 
+  # used to generate manifests for Applications using the repository. If the discovery config is omitted then the plugin 
+  # will not match any application but can still be invoked explicitly by specifying the plugin name in the app spec. 
   # Only one of fileName, find.glob, or find.command should be specified. If multiple are specified then only the 
   # first (in that order) is evaluated.
   discover:
@@ -246,7 +247,7 @@ volumes:
 Plugin commands have access to
 
 1. The system environment variables (of the repo-server container for argocd-cm plugins or of the sidecar for sidecar plugins)
-2. [Standard build environment variables](build-environment.md)
+2. [Standard build environment variables](../user-guide/build-environment.md)
 3. Variables in the Application spec (References to system and build variables will get interpolated in the variables' values):
 
 ```yaml
@@ -337,7 +338,7 @@ argocd app create <appName> --config-management-plugin <pluginName>
 If your CMP is defined as a sidecar, you must manually define the Application manifest. You may leave the `name` field
 empty in the `plugin` section for the plugin to be automatically matched with the Application based on its discovery rules. If you do mention the name make sure 
 it is either `<metadata.name>-<spec.version>` if version is mentioned in the `ConfigManagementPlugin` spec or else just `<metadata.name>`. When name is explicitly 
-specified only that particular plugin will be used iff it's discovery pattern/command matches the provided application repo.
+specified only that particular plugin will be used iff its discovery pattern/command matches the provided application repo.
 
 ```yaml
 apiVersion: argoproj.io/v1alpha1
@@ -452,7 +453,8 @@ spec:
 
 ### 2. Write discovery rules for your plugin
 
-Sidecar plugins use discovery rules instead of a plugin name to match Applications to plugins.
+Sidecar plugins can use either discovery rules or a plugin name to match Applications to plugins. If the discovery rule is omitted 
+then you have to explicitly specify the plugin by name in the app spec or else that particular plugin will not match any app.
 
 Write rules applicable to your plugin [using the instructions above](#1-write-the-plugin-configuration-file) and add
 them to your configuration file.

docs/operator-manual/custom_tools.md

@@ -7,7 +7,7 @@ other than what Argo CD bundles. Some reasons to do this might be:
 * To upgrade/downgrade to a specific version of a tool due to bugs or bug fixes.
 * To install additional dependencies to be used by kustomize's configmap/secret generators.
   (e.g. curl, vault, gpg, AWS CLI)
-* To install a [config management plugin](../user-guide/config-management-plugins.md).
+* To install a [config management plugin](config-management-plugins.md).
 
 As the Argo CD repo-server is the single service responsible for generating Kubernetes manifests, it
 can be customized to use alternative toolchain required by your environment.
@@ -51,7 +51,7 @@ following example builds an entirely customized repo-server from a Dockerfile, i
 dependencies that may be needed for generating manifests.
 
 ```Dockerfile
-FROM argoproj/argocd:latest
+FROM argoproj/argocd:v2.5.4 # Replace tag with the appropriate argo version
 
 # Switch to root for the ability to perform install
 USER root
@@ -69,5 +69,5 @@ RUN apt-get update && \
     chmod +x /usr/local/bin/sops
 
 # Switch back to non-root user
-USER 999
+USER $ARGOCD_USER_ID
 ```

docs/operator-manual/deep_links.md

@@ -0,0 +1,63 @@
+# Deep Links
+
+Deep links allow users to quickly redirect to third-party systems, such as Splunk, Datadog, etc. from the Argo CD
+user interface.
+
+Argo CD administrator will be able to configure links to third-party systems by providing 
+deep link templates configured in `argocd-cm`. The templates can be conditionally rendered and are able 
+to reference different types of resources relating to where the links show up, this includes projects, applications,
+or individual resources (pods, services, etc.).
+
+## Configuring Deep Links
+
+The configuration for Deep Links is present in `argocd-cm` as `<location>.links` fields where 
+`<location>` determines where it will be displayed. The possible values for `<location>` are :
+- `project` : all links under this field will show up in the project tab in the Argo CD UI
+- `application` : all links under this field will show up in the application summary tab
+- `resource` : all links under this field will show up in the resource (deployments, pods, services, etc.) summary tab
+
+Each link in the list has five subfields :
+1. `title` : title/tag that will be displayed in the UI corresponding to that link
+2. `url` : the actual URL where the deep link will redirect to, this field can be templated to use data from the
+   corresponing application, project or resource objects (depending on where it is located). This uses [text/template](pkg.go.dev/text/template) pkg for templating
+3. `description` (optional) : a description for what the deep link is about
+4. `icon.class` (optional) : a font-awesome icon class to be used when displaying the links in dropdown menus
+5. `if` (optional) : a conditional statement that results in either `true` or `false`, it also has access to the same
+   data as the `url` field. If the condition resolves to `true` the deep link will be displayed - else it will be hidden. If
+   the field is omitted, by default the deep links will be displayed. This uses [antonmedv/expr](https://github.com/antonmedv/expr/tree/master/docs) for evaluating conditions
+
+!!!note
+   For resources of kind Secret the data fields are redacted but other fields are accessible for templating the deep links.
+
+!!!warning
+   Make sure to validate the url templates and inputs to prevent data leaks or possible generation of any malicious links.
+
+
+An example `argocd-cm.yaml` file with deep links and their variations :
+
+```yaml
+  # sample project level links
+  project.links: |
+    - url: https://myaudit-system.com?project={{.metadata.name}}
+      title: Audit
+      description: system audit logs
+      icon.class: "fa-book"
+  # sample application level links
+  application.links: |
+    # pkg.go.dev/text/template is used for evaluating url templates
+    - url: https://mycompany.splunk.com?search={{.spec.destination.namespace}}
+      title: Splunk
+    # conditionally show link e.g. for specific project
+    # github.com/antonmedv/expr is used for evaluation of conditions
+    - url: https://mycompany.splunk.com?search={{.spec.destination.namespace}}
+      title: Splunk
+      if: spec.project == "default"
+    - url: https://{{.metadata.annotations.splunkhost}}?search={{.spec.destination.namespace}}
+      title: Splunk
+      if: metadata.annotations.splunkhost
+  # sample resource level links
+  resource.links: |
+    - url: https://mycompany.splunk.com?search={{.metadata.namespace}}
+      title: Splunk
+      if: kind == "Pod" || kind == "Deployment"
+```

docs/operator-manual/health.md

@@ -16,6 +16,8 @@ with at least one value for `hostname` or `IP`.
 ### Ingress
 * The `status.loadBalancer.ingress` list is non-empty, with at least one value for `hostname` or `IP`.
 
+### Job
+* If job `.spec.suspended` is set to 'true', then the job and app health will be marked as suspended.
 ### PersistentVolumeClaim
 * The `status.phase` is `Bound`
 
@@ -38,7 +40,7 @@ metadata:
 data:
   resource.customizations: |
     argoproj.io/Application:
-      health.lua: |  
+      health.lua: |
         hs = {}
         hs.status = "Progressing"
         hs.message = ""
@@ -64,11 +66,11 @@ There are two ways to configure a custom health check. The next two sections des
 
 ### Way 1. Define a Custom Health Check in `argocd-cm` ConfigMap
 
-Custom health checks can be defined in 
+Custom health checks can be defined in
 ```yaml
   resource.customizations: |
     <group/kind>:
-      health.lua: | 
+      health.lua: |
 ```
 field of `argocd-cm`. If you are using argocd-operator, this is overridden by [the argocd-operator resourceCustomizations](https://argocd-operator.readthedocs.io/en/latest/reference/argocd/#resource-customizations).
 
@@ -101,15 +103,24 @@ data:
         hs.message = "Waiting for certificate"
         return hs
 ```
-In order to prevent duplication of the same custom health check for potentially multiple resources, it is also possible to specify a wildcard in the resource kind, like this:
+In order to prevent duplication of the custom health check for potentially multiple resources, it is also possible to specify a wildcard in the resource kind, and anywhere in the resource group, like this:
 
 ```yaml
   resource.customizations: |
     ec2.aws.crossplane.io/*:
+      health.lua: |
+        ...
+```
+
+```yaml
+  resource.customizations: |
+    *.aws.crossplane.io/*:
       health.lua: | 
         ...
 ```
 
+
+
 The `obj` is a global variable which contains the resource. The script must return an object with status and optional message field.
 The custom health check might return one of the following health statuses:
 

docs/operator-manual/high_availability.md

@@ -6,8 +6,8 @@ A set of HA manifests are provided for users who wish to run Argo CD in a highly
 
 [Manifests ⧉](https://github.com/argoproj/argo-cd/tree/master/manifests) 
 
-!!! note
-    The HA installation will require at least three different nodes due to pod anti-affinity roles in the specs.
+> **NOTE:** The HA installation will require at least three different nodes due to pod anti-affinity roles in the
+> specs. Additionally, IPv6 only clusters are not supported.
 
 ## Scaling Up
 
@@ -24,50 +24,46 @@ The `--parallelismlimit` flag controls how many manifests generations are runnin
 or custom plugin. As a result Git repositories with multiple applications might be affect repository server performance.
 Read [Monorepo Scaling Considerations](#monorepo-scaling-considerations) for more information.
 
-* `argocd-repo-server` clones repository into `/tmp` ( of path specified in `TMPDIR` env variable ). Pod might run out of disk space if have too many repository
-or repositories has a lot of files. To avoid this problem mount persistent volume.
+* `argocd-repo-server` clones the repository into `/tmp` (or the path specified in the `TMPDIR` env variable). The Pod might run out of disk space if it has too many repositories
+or if the repositories have a lot of files. To avoid this problem mount a persistent volume.
 
-* `argocd-repo-server` `git ls-remote` to resolve ambiguous revision such as `HEAD`, branch or tag name. This operation is happening pretty frequently
-and might fail. To avoid failed syncs use `ARGOCD_GIT_ATTEMPTS_COUNT` environment variable to retry failed requests.
+* `argocd-repo-server` uses `git ls-remote` to resolve ambiguous revisions such as `HEAD`, a branch or a tag name. This operation happens frequently
+and might fail. To avoid failed syncs use the `ARGOCD_GIT_ATTEMPTS_COUNT` environment variable to retry failed requests.
 
 * `argocd-repo-server` Every 3m (by default) Argo CD checks for changes to the app manifests. Argo CD assumes by default that manifests only change when the repo changes, so it caches generated manifests (for 24h by default). With Kustomize remote bases, or Helm patch releases, the manifests can change even though the repo has not changed. By reducing the cache time, you can get the changes without waiting for 24h. Use `--repo-cache-expiration duration`, and we'd suggest in low volume environments you try '1h'. Bear in mind this will negate the benefit of caching if set too low. 
 
-* `argocd-repo-server` fork exec config management tools such as `helm` or `kustomize` and enforces 90 seconds timeout. The timeout can be increased using `ARGOCD_EXEC_TIMEOUT` env variable. The value should be in Go time duration string format, for example, `2m30s`.
+* `argocd-repo-server` executes config management tools such as `helm` or `kustomize` and enforces a 90 second timeout. This timeout can be changed by using the `ARGOCD_EXEC_TIMEOUT` env variable. The value should be in the Go time duration string format, for example, `2m30s`.
 
 **metrics:**
 
-* `argocd_git_request_total` - Number of git requests. The metric provides two tags: `repo` - Git repo URL; `request_type` - `ls-remote` or `fetch`.
+* `argocd_git_request_total` - Number of git requests. This metric provides two tags: `repo` - Git repo URL; `request_type` - `ls-remote` or `fetch`.
 
-* `ARGOCD_ENABLE_GRPC_TIME_HISTOGRAM` - environment variable that enables collecting RPC performance metrics. Enable it if you need to troubleshoot performance issue. Note: metric is expensive to both query and store!
+* `ARGOCD_ENABLE_GRPC_TIME_HISTOGRAM` - Is an environment variable that enables collecting RPC performance metrics. Enable it if you need to troubleshoot performance issues. Note: This metric is expensive to both query and store!
 
 ### argocd-application-controller
 
 **settings:**
 
-The `argocd-application-controller` uses `argocd-repo-server` to get generated manifests and Kubernetes API server to get actual cluster state.
+The `argocd-application-controller` uses `argocd-repo-server` to get generated manifests and Kubernetes API server to get the actual cluster state.
 
-* each controller replica uses two separate queues to process application reconciliation (milliseconds) and app syncing (seconds). Number of queue processors for each queue is controlled by
-`--status-processors` (20 by default) and `--operation-processors` (10 by default) flags. Increase number of processors if your Argo CD instance manages too many applications.
+* each controller replica uses two separate queues to process application reconciliation (milliseconds) and app syncing (seconds). The number of queue processors for each queue is controlled by
+`--status-processors` (20 by default) and `--operation-processors` (10 by default) flags. Increase the number of processors if your Argo CD instance manages too many applications.
 For 1000 application we use 50 for `--status-processors` and 25 for `--operation-processors`
 
-* The manifest generation typically takes the most time during reconciliation. The duration of manifest generation is limited to make sure controller refresh queue does not overflow.
-The app reconciliation fails with `Context deadline exceeded` error if manifest generating taking too much time. As workaround increase value of `--repo-server-timeout-seconds` and
-consider scaling up `argocd-repo-server` deployment.
+* The manifest generation typically takes the most time during reconciliation. The duration of manifest generation is limited to make sure the controller refresh queue does not overflow.
+The app reconciliation fails with `Context deadline exceeded` error if the manifest generation is taking too much time. As a workaround increase the value of `--repo-server-timeout-seconds` and
+consider scaling up the `argocd-repo-server` deployment.
 
-* The controller uses `kubectl` fork/exec to push changes into the cluster and to convert resource from preferred version into user specified version
-(e.g. Deployment `apps/v1` into `extensions/v1beta1`). Same as config management tool `kubectl` fork/exec might cause pod OOM kill. Use `--kubectl-parallelism-limit` flag to limit
-number of allowed concurrent kubectl fork/execs.
+* The controller uses Kubernetes watch APIs to maintain a lightweight Kubernetes cluster cache. This allows avoiding querying Kubernetes during app reconciliation and significantly improves
+performance. For performance reasons the controller monitors and caches only the preferred versions of a resource. During reconciliation, the controller might have to convert cached resources from the
+preferred version into a version of the resource stored in Git. If `kubectl convert` fails because the conversion is not supported then the controller falls back to Kubernetes API query which slows down
+reconciliation. In this case, we advise to use the preferred resource version in Git.
 
-* The controller uses Kubernetes watch APIs to maintain lightweight Kubernetes cluster cache. This allows to avoid querying Kubernetes during app reconciliation and significantly improve
-performance. For performance reasons controller monitors and caches only preferred the version of a resource. During reconciliation, the controller might have to convert cached resource from
-preferred version into a version of the resource stored in Git. If `kubectl convert` fails because conversion is not supported then controller falls back to Kubernetes API query which slows down
-reconciliation. In this case, we advise you to use the preferred resource version in Git.
-
-* The controller polls Git every 3m by default. You can increase this duration using `timeout.reconciliation` setting in the `argocd-cm` ConfigMap. The value of `timeout.reconciliation` is a duration string e.g `60s`, `1m`, `1h` or `1d`.
+* The controller polls Git every 3m by default. You can change this duration using the `timeout.reconciliation` setting in the `argocd-cm` ConfigMap. The value of `timeout.reconciliation` is a duration string e.g `60s`, `1m`, `1h` or `1d`.
 
 * If the controller is managing too many clusters and uses too much memory then you can shard clusters across multiple
 controller replicas. To enable sharding increase the number of replicas in `argocd-application-controller` `StatefulSet`
-and repeat number of replicas in `ARGOCD_CONTROLLER_REPLICAS` environment variable. The strategic merge patch below
+and repeat the number of replicas in the `ARGOCD_CONTROLLER_REPLICAS` environment variable. The strategic merge patch below
 demonstrates changes required to configure two controller replicas.
 
 ```yaml
@@ -86,22 +82,22 @@ spec:
           value: "2"
 ```
 
-* `ARGOCD_ENABLE_GRPC_TIME_HISTOGRAM` - environment variable that enables collecting RPC performance metrics. Enable it if you need to troubleshoot performance issue. Note: metric is expensive to both query and store!
+* `ARGOCD_ENABLE_GRPC_TIME_HISTOGRAM` - environment variable that enables collecting RPC performance metrics. Enable it if you need to troubleshoot performance issues. Note: This metric is expensive to both query and store!
 
 **metrics**
 
-* `argocd_app_reconcile` - reports application reconciliation duration. Can be used to build reconciliation duration heat map to get high-level reconciliation performance picture.
+* `argocd_app_reconcile` - reports application reconciliation duration. Can be used to build reconciliation duration heat map to get a high-level reconciliation performance picture.
 * `argocd_app_k8s_request_total` - number of k8s requests per application. The number of fallback Kubernetes API queries - useful to identify which application has a resource with
 non-preferred version and causes performance issues.
 
 ### argocd-server
 
-The `argocd-server` is stateless and probably least likely to cause issues. You might consider increasing number of replicas to 3 or more to ensure there is no downtime during upgrades.
+The `argocd-server` is stateless and probably least likely to cause issues. You might consider increasing the number of replicas to 3 or more to ensure there is no downtime during upgrades.
 
 **settings:**
 
 * The `ARGOCD_GRPC_MAX_SIZE_MB` environment variable allows specifying the max size of the server response message in megabytes.
-The default value is 200. You might need to increase for an Argo CD instance that manages 3000+ applications.    
+The default value is 200. You might need to increase this for an Argo CD instance that manages 3000+ applications.    
 
 ### argocd-dex-server, argocd-redis
 
@@ -109,17 +105,17 @@ The `argocd-dex-server` uses an in-memory database, and two or more instances wo
 
 ## Monorepo Scaling Considerations
 
-Argo CD repo server maintains one repository clone locally and use it for application manifest generation. If the manifest generation requires to change a file in the local repository clone then only one concurrent manifest generation per server instance is allowed. This limitation might significantly slowdown Argo CD if you have a mono repository with multiple applications (50+).
+Argo CD repo server maintains one repository clone locally and uses it for application manifest generation. If the manifest generation requires to change a file in the local repository clone then only one concurrent manifest generation per server instance is allowed. This limitation might significantly slowdown Argo CD if you have a mono repository with multiple applications (50+).
 
 ### Enable Concurrent Processing
 
-Argo CD determines if manifest generation might change local files in the local repository clone based on config management tool and application settings.
-If the manifest generation has no side effects then requests are processed in parallel without the performance penalty. Following are known cases that might cause slowness and workarounds:
+Argo CD determines if manifest generation might change local files in the local repository clone based on the config management tool and application settings.
+If the manifest generation has no side effects then requests are processed in parallel without a performance penalty. The following are known cases that might cause slowness and their workarounds:
 
-  * **Multiple Helm based applications pointing to the same directory in one Git repository:** ensure that your Helm chart don't have conditional
-[dependencies](https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags) and create `.argocd-allow-concurrency` file in chart directory.
+  * **Multiple Helm based applications pointing to the same directory in one Git repository:** ensure that your Helm chart doesn't have conditional
+[dependencies](https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags) and create `.argocd-allow-concurrency` file in the chart directory.
 
-  * **Multiple Custom plugin based applications:** avoid creating temporal files during manifest generation and create `.argocd-allow-concurrency` file in app directory, or use the sidecar plugin option, which processes each application using a temporary copy of the repository.
+  * **Multiple Custom plugin based applications:** avoid creating temporal files during manifest generation and create `.argocd-allow-concurrency` file in the app directory, or use the sidecar plugin option, which processes each application using a temporary copy of the repository.
 
   * **Multiple Kustomize applications in same repository with [parameter overrides](../user-guide/parameters.md):** sorry, no workaround for now.
 
@@ -188,4 +184,4 @@ spec:
     targetRevision: HEAD
     path: my-application
 # ...
-```
+```

docs/operator-manual/project.yaml

@@ -15,9 +15,11 @@ spec:
   - '*'
 
   # Only permit applications to deploy to the guestbook namespace in the same cluster
+  # Destination clusters can be identified by 'server', 'name', or both.
   destinations:
   - namespace: guestbook
     server: https://kubernetes.default.svc
+    name: in-cluster
 
   # Deny all cluster-scoped resources from being created, except for Namespace
   clusterResourceWhitelist:

docs/operator-manual/resource_actions.md

@@ -9,9 +9,8 @@ Operators can add actions to custom resources in form of a Lua script and expand
 
 Argo CD supports custom resource actions written in [Lua](https://www.lua.org/). This is useful if you:
 
-    * Have a custom resource for which Argo CD does not provide any built-in actions.
-    * Have a commonly performed manual task that might be error prone if executed by users via `kubectl`
-
+* Have a custom resource for which Argo CD does not provide any built-in actions.
+* Have a commonly performed manual task that might be error prone if executed by users via `kubectl`
 
 You can define your own custom resource actions in the `argocd-cm` ConfigMap.
 

docs/operator-manual/secret-management.md

@@ -1,6 +1,11 @@
 # Secret Management
 
-Argo CD is un-opinionated about how secrets are managed. There's many ways to do it and there's no one-size-fits-all solution. Here's some ways people are doing GitOps secrets:
+Argo CD is un-opinionated about how secrets are managed. There are many ways to do it, and there's no one-size-fits-all solution.
+
+Many solutions use plugins to inject secrets into the application manifests. See [Mitigating Risks of Secret-Injection Plugins](#mitigating-risks-of-secret-injection-plugins)
+below to make sure you use those plugins securely.
+
+Here are some ways people are doing GitOps secrets:
 
 * [Bitnami Sealed Secrets](https://github.com/bitnami-labs/sealed-secrets)
 * [External Secrets Operator](https://github.com/external-secrets/external-secrets)
@@ -15,3 +20,17 @@ Argo CD is un-opinionated about how secrets are managed. There's many ways to do
 * [Kubernetes Secrets Store CSI Driver](https://github.com/kubernetes-sigs/secrets-store-csi-driver)
 
 For discussion, see [#1364](https://github.com/argoproj/argo-cd/issues/1364)
+
+## Mitigating Risks of Secret-Injection Plugins
+
+Argo CD caches the manifests generated by plugins, along with the injected secrets, in its Redis instance. Those 
+manifests are also available via the repo-server API (a gRPC service). This means that the secrets are available to 
+anyone who has access to the Redis instance or to the repo-server.
+
+Consider these steps to mitigate the risks of secret-injection plugins:
+
+1. Set up network policies to prevent direct access to Argo CD components (Redis and the repo-server). Make sure your
+   cluster supports those network policies and can actually enforce them.
+2. Consider running Argo CD on its own cluster, with no other applications running on it.
+3. [Enable password authentication on the Redis instance](https://github.com/argoproj/argo-cd/issues/3130) (currently
+   only supported for non-HA Argo CD installations).

docs/operator-manual/ui-customization.md

@@ -0,0 +1,9 @@
+# UI Customization
+
+## Default Application Details View
+
+By default, the Application Details will show the `Tree` view.
+
+This can be configured on an Application basis, by setting the `pref.argocd.argoproj.io/default-view` annotation, accepting one of: `tree`, `pods`, `network`, `list` as values.
+
+For the Pods view, the default grouping mechanism can be configured using the `pref.argocd.argoproj.io/default-pod-sort` annotation, accepting one of: `node`, `parentResource`, `topLevelResource` as values.

docs/operator-manual/upgrading/1.8-2.0.md

@@ -1,4 +1,4 @@
-# v1.8 to v2.0
+# v1.8 to 2.0
 
 ## Redis Upgraded to v6.2.1
 

docs/operator-manual/upgrading/2.2-2.3.md

@@ -36,7 +36,7 @@ data:
 
 ## Removed Python from the base image
 
-If you are using a [Config Management Plugin](../../user-guide/config-management-plugins.md) that relies on Python, you
+If you are using a [Config Management Plugin](../config-management-plugins.md) that relies on Python, you
 will need to build a custom image on the Argo CD base to install Python.
 
 ## Upgraded Kustomize Version

docs/operator-manual/upgrading/2.3-2.4.md

@@ -176,7 +176,7 @@ that uses the Service Account for auth), be sure to test before deploying the 2.
 
 ### Remove the shared volume from any sidecar plugins
 
-As a security enhancement, [sidecar plugins](../../user-guide/config-management-plugins.md#option-2-configure-plugin-via-sidecar)
+As a security enhancement, [sidecar plugins](../config-management-plugins.md#option-2-configure-plugin-via-sidecar)
 no longer share the /tmp directory with the repo-server.
 
 If you have one or more sidecar plugins enabled, replace the /tmp volume mount for each sidecar to use a volume specific 

docs/operator-manual/upgrading/2.4-2.5.md

@@ -97,7 +97,7 @@ When using `argocd app diff --local`, code from the repo server is run on the us
 
 In order to support CMPs and reduce local requirements, we have implemented *server-side generation* of local manifests via the `--server-side-generate` argument. For example, `argocd app diff --local repoDir --server-side-generate` will upload the contents of `repoDir` to the repo server and run your manifest generation pipeline against it, the same as it would for a Git repo.
 
-In v2.6, the `--server-side-generate` argument will become the default and client-side generation will be removed.
+In v2.7, the `--server-side-generate` argument will become the default and client-side generation will be removed.
 
 !!! warning
     The semantics of *where* Argo will start generating manifests within a repo has changed between client-side and server-side generation. With client-side generation, the application's path (`spec.source.path`) was ignored and the value of `--local-repo-root` was effectively used (by default `/` relative to `--local`).

docs/operator-manual/upgrading/2.5-2.6.md

@@ -6,3 +6,18 @@ Argo CD 2.5 introduced [Go templating in ApplicationSets](https://argo-cd.readth
 Argo CD 2.6 upgrades Sprig to v3. That upgrade includes an upgrade of [Masterminds/semver](https://github.com/Masterminds/semver/releases) to v3.
 
 Masterminds/semver v3 changed the behavior of the `^` prefix in semantic version constraints. If you are using Go-templated ApplicationSets which include references to [Sprig's semver functions](https://masterminds.github.io/sprig/semver.html) and use the `^` prefix, read the [Masterminds/semver changelog](https://github.com/Masterminds/semver/releases/tag/v3.0.0) to understand how your ApplicationSets' behavior may change.
+
+## Applications with suspended jobs now marked "Suspended" instead of "Progressing"
+Prior to Argo CD v2.6, an Application managing a suspended Job would be marked as "Progressing". This was confusing/unexpected behavior for many. Starting with v2.6, Argo CD will mark such Applications as "Suspended".
+
+If you have processes which rely on the previous behavior (for example, a CI job with an argocd app wait call), update those before upgrading to v2.6.
+
+## The API Server now requires tokens to include the `aud` claim by default
+
+Argo CD v2.6 now requires that the `aud` claim be present in the token used to authenticate to the API Server. This is a 
+security improvement, as it prevents tokens from being used against the API Server which were not intended for it.
+
+If you rely on an OIDC provider which does not provide a `aud` claim, you can disable this requirement by setting the 
+`skipAudienceCheckWhenTokenHasNoAudience` flag to `true` in your Argo CD OIDC configuration. (See the 
+[OIDC configuration documentation](https://argo-cd.readthedocs.io/en/stable/operator-manual/user-management/#existing-oidc-provider)
+for an example.)

docs/operator-manual/upgrading/overview.md

@@ -37,6 +37,7 @@ kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/<v
 
 <hr/>
 
+* [v2.5 to v2.6](./2.5-2.6.md)
 * [v2.4 to v2.5](./2.4-2.5.md)
 * [v2.3 to v2.4](./2.3-2.4.md)
 * [v2.2 to v2.3](./2.2-2.3.md)

docs/operator-manual/user-management/index.md

@@ -301,6 +301,19 @@ data:
     issuer: https://dev-123456.oktapreview.com
     clientID: aaaabbbbccccddddeee
     clientSecret: $oidc.okta.clientSecret
+    
+    # Optional list of allowed aud claims. If omitted or empty, defaults to the clientID value above (and the 
+    # cliCientID, if that is also specified). If you specify a list and want the clientID to be allowed, you must 
+    # explicitly include it in the list.
+    # Token verification will pass if any of the token's audiences matches any of the audiences in this list.
+    allowedAudiences:
+    - aaaabbbbccccddddeee
+    - qqqqwwwweeeerrrrttt
+
+    # Optional. If false, tokens without an audience will always fail validation. If true, tokens without an audience 
+    # will always pass validation.
+    # Defaults to true for Argo CD < 2.6.0. Defaults to false for Argo CD >= 2.6.0.
+    skipAudienceCheckWhenTokenHasNoAudience: true
 
     # Optional set of OIDC scopes to request. If omitted, defaults to: ["openid", "profile", "email", "groups"]
     requestedScopes: ["openid", "profile", "email", "groups"]

docs/roadmap.md

@@ -1,224 +1,5 @@
 # Roadmap
 
-- [Roadmap](#roadmap)
-  - [v2.4](#v24)
-    - [Server side apply](#server-side-apply)
-    - [Input Forms UI Refresh](#input-forms-ui-refresh)
-    - [Web Shell](#web-shell)
-    - [Helm values from external repo](#helm-values-from-external-repo)
-    - [Support multiple sources for an Application](#support-multiple-sources-for-an-application)
-    - [Config Management Tools Enhancements: Parametrization & Security Improvements](#config-management-tools-enhancements-parametrization--security-improvements)
-  - [v2.5 and beyond](#v25-and-beyond)
-    - [Config Management Tools Enhancements: UI/CLI](#config-management-tools-enhancements-uicli)
-    - [First class support for ApplicationSet resources](#first-class-support-for-applicationset-resources)
-    - [Merge Argo CD Image Updater into Argo CD](#merge-argo-cd-image-updater-into-argo-cd)
-    - [Sharding application controller](#sharding-application-controller)
-    - [Add support for secrets in Application parameters](#add-support-for-secrets-in-application-parameters)
-    - [Allow specifying parent/child relationships in config](#allow-specifying-parentchild-relationships-in-config)
-    - [Dependencies between applications](#dependencies-between-applications)
-    - [Multi-tenancy improvements](#multi-tenancy-improvements)
-    - [GitOps Engine Enhancements](#gitops-engine-enhancements)
-  - [Completed](#completed)
-    - [✅ Merge Argo CD Notifications into Argo CD](#-merge-argo-cd-notifications-into-argo-cd)
-    - [✅ Merge ApplicationSet controller into Argo CD](#-merge-applicationset-controller-into-argo-cd)
-    - [✅ Compact resources tree](#-compact-resources-tree)
-    - [✅ Maintain difference in cluster and git values for specific fields](#-maintain-difference-in-cluster-and-git-values-for-specific-fields)
-    - [✅ ARM images and CLI binary](#-arm-images-and-cli-binary)
-    - [✅ Config Management Tools Integrations (proposal)](#-config-management-tools-integrations-proposal)
-    - [✅ Argo CD Extensions (proposal)](#-argo-cd-extensions-proposal)
-    - [✅ Project scoped repository and clusters (proposal)](#-project-scoped-repository-and-clusters-proposal)
-    - [✅ Core Argo CD (proposal)](#-core-argo-cd-proposal)
-    - [✅ Core Functionality Bug Fixes](#-core-functionality-bug-fixes)
-    - [✅ Performance](#-performance)
-    - [✅ ApplicationSet](#-applicationset)
-    - [✅ Large Applications support](#-large-applications-support)
-    - [✅ Serviceability](#-serviceability)
-    - [✅ Argo CD Notifications](#-argo-cd-notifications)
-    - [✅ Automated Registry Monitoring](#-automated-registry-monitoring)
-    - [✅ Projects Enhancements](#-projects-enhancements)
+The Argo CD roadmap is maintained in [a GitHub Project](https://github.com/orgs/argoproj/projects/25/views/14).
 
-## v2.4
-
-> ETA: May 2022
-
-### Server side apply
-
-Support using [server side apply](https://kubernetes.io/docs/reference/using-api/server-side-apply/) during application syncing
-[#2267](https://github.com/argoproj/argo-cd/issues/2267)
-
-### Input Forms UI Refresh
-
-Improved design of the input forms in Argo CD Web UI: https://www.figma.com/file/IIlsFqqmM5UhqMVul9fQNq/Argo-CD?node-id=0%3A1
-
-### Web Shell
-
-Exec into the Kubernetes Pod right from Argo CD Web UI! [#4351](https://github.com/argoproj/argo-cd/issues/4351)
-
-### Helm values from external repo
-
-The feature allows combining of-the-shelf Helm chart and value file in Git repository ([#2789](https://github.com/argoproj/argo-cd/issues/2789))
-
-### Support multiple sources for an Application
-
-Support more than one source for creating an Application [#8322](https://github.com/argoproj/argo-cd/pull/8322).
-
-### Config Management Tools Enhancements: Parametrization & Security Improvements
-
-The continuation of the Config Management Tools of [proposal](https://github.com/argoproj/argo-cd/blob/master/docs/proposals/parameterized-config-management-plugins.md).
-The Argo config management plugin configuration allows users to specify the accepted parameters, default values to eventually power UI and CLI.
-Additionally, plugins implementation should provide better Argo CD tenant isolation and security.
-
-## v2.5 and beyond
-
-### Config Management Tools Enhancements: UI/CLI
-
-The Argo CD should provide a first-class experience for configured third-party config management tools. User should be able to view supported parameters,
-observe default parameter values and override them.
-
-### First class support for ApplicationSet resources
-
-The Argo CD UI/CLI/API allows to manage ApplicationSet resources same as Argo CD Applications ([#7352](https://github.com/argoproj/argo-cd/issues/7352)).
-
-### Merge Argo CD Image Updater into Argo CD
-
-The [Argo CD Image Updater](https://github.com/argoproj-labs/argocd-image-updater) should be merged into Argo CD and available out-of-the-box: [#7385](https://github.com/argoproj/argo-cd/issues/7385)
-
-
-### Sharding application controller 
-
-Application controller to scale automatically to provide high availability[#8340](https://github.com/argoproj/argo-cd/issues/8340).
-
-### Add support for secrets in Application parameters
-
-The feature allows referencing secrets in Application parameters. [#1786](https://github.com/argoproj/argo-cd/issues/1786).
-
-### Allow specifying parent/child relationships in config
-
-The feature [#5082](https://github.com/argoproj/argo-cd/issues/5082) allows configuring parent/child relationships between resources. This allows to correctly
-visualize custom resources that don't have owner references.
-
-### Dependencies between applications
-
-The feature allows specifying dependencies between applications that allow orchestrating synchronization of multiple applications. [#3517](https://github.com/argoproj/argo-cd/issues/3517)
-
-
-### Multi-tenancy improvements
-
-The multi-tenancy improvements that allow end-users to create Argo CD applications using Kubernetes directly without accessing Argo CD API.
-
-* [Applications outside argocd namespace](https://github.com/argoproj/argo-cd/pull/6409)
-* [AppSource](https://github.com/argoproj-labs/appsource)
-
-
-### GitOps Engine Enhancements
-
-The [GitOps Engine](https://github.com/argoproj/gitops-engine) is a library that implements core GitOps functions such as K8S resource reconciliation and diffing.
-A lot of Argo CD features are still not available in GitOps engine. The following features have to be contributed to the GitOps Engine:
-
-* an ability to customize resources health assessment and existing CRD health [assessment functions](https://github.com/argoproj/argo-cd/tree/master/resource_customizations).
-* resource diffing [customization](../user-guide/diffing/).
-* config management [tools](../user-guide/application_sources/) integration.
-* unified syncing annotations [argoproj/gitops-engine#43](https://github.com/argoproj/gitops-engine/issues/43).
-
-## Completed
-
-### ✅ Merge Argo CD Notifications into Argo CD
-
-The [Argo CD Notifications](https://github.com/argoproj-labs/argocd-notifications) should be merged into Argo CD and available out-of-the-box: [#7350](https://github.com/argoproj/argo-cd/issues/7350)
-
-### ✅ Merge ApplicationSet controller into Argo CD
-
-The ApplicationSet functionality is available in Argo CD out-of-the-box ([#7351](https://github.com/argoproj/argo-cd/issues/7351)).
-
-### ✅ Compact resources tree
-
-An ability to collaps leaf resources tree to improve visualization of very large applications: [#7349](https://github.com/argoproj/argo-cd/issues/7349)
-
-### ✅ Maintain difference in cluster and git values for specific fields
-
-The feature allows to avoid updating fields excluded from diffing ([#2913](https://github.com/argoproj/argo-cd/issues/2913)).
-
-### ✅ ARM images and CLI binary
-
-The release workflow should build and publish ARM images and CLI binaries: ([#4211](https://github.com/argoproj/argo-cd/issues/4211))
-
-### ✅ Config Management Tools Integrations ([proposal](https://github.com/argoproj/argo-cd/pull/5927))
-
-The community likes the first class support of Helm, Kustomize and keeps requesting support for more tools.
-Argo CD provides a mechanism to integrate with any config management tool. We need to investigate why
-it is not enough and implement missing features.
-
-### ✅ Argo CD Extensions ([proposal](https://github.com/argoproj/argo-cd/pull/6240))
-
-Argo CD supports customizing handling of Kubernetes resources via diffing customizations,
-health checks, and custom actions. The Argo CD Extensions proposal takes it to next
-level and allows to deliver the resource customizations along with custom visualization in Argo CD
-via Git repository.
-
-### ✅ Project scoped repository and clusters ([proposal](https://github.com/argoproj/argo-cd/blob/master/docs/proposals/project-repos-and-clusters.md))
-
-The feature streamlines the process of adding repositories and clusters to the project and makes it self-service.
-Instead of asking an administrator to change Argo CD settings end users can perform the change independently.
-
-### ✅ Core Argo CD ([proposal](https://github.com/argoproj/argo-cd/pull/6385))
-
-Core Argo CD allows to installation and use of lightweight Argo CD that includes only the backend without exposing the API or UI.
-The Core Argo CD provides a better experience to users who need only core Argo CD features and don't want to deal with multi-tenancy features.
-
-### ✅ Core Functionality Bug Fixes
-
-The core GitOps features still have several known bugs and limitations. The full list is available in [v1.9 milestone](
-https://github.com/argoproj/argo-cd/issues?q=is%3Aopen+is%3Aissue+label%3Abug+milestone%3A%22v1.9%22+label%3Acomponent%3Acore)
-
-The most notable issues:
-
-* [Argo CD synchronization lasts incredibly long](https://github.com/argoproj/argo-cd/issues/3663)
-
-### ✅ Performance
-
-* 2000+ Applications support. The user interface becomes notably slower if one Argo CD instance manages more than 1 thousand applications.
-A set of optimizations is required to fix that issue.
-
-* 100+ Clusters support. The cluster addon management use-case requires connecting a large number of clusters to one Argo CD controller.
-Currently Argo CD controller is unable to handle that many clusters. The solution is to support horizontal controller scaling and automated sharding.
-
-* Mono Repository support. Argo CD is not optimized for mono repositories with a large number of applications. With 50+ applications in the same repository, manifest generation performance drops significantly. The repository server optimization is required to improve it.
-
-### ✅ ApplicationSet
-
-Argo CD Applications allow splitting the cluster configuration into logic groups that are managed independently. However, the set of applications
-is a configuration that should be managed declaratively as well. The app-of-apps pattern solves this problem but still has some challenges such as
-maintenance overhead, security, and lack of some additional features.
-
-[ApplicationSet](https://github.com/argoproj-labs/applicationset) project provides a better solution for managing applications across multiple environments.
-
-### ✅ Large Applications support
-
-The application details page is not suitable to visualize applications that include a large number of resources (hundreds of resources). The page has to be reworked
-to improve user experience.
-
-### ✅ Serviceability
-
-To make Argo CD successful we need to build tools that enable Argo CD administrators to handle scalability and performance issues in a self-service model.
-
-That includes more metrics, out-of-the-box alerts and a cluster management user interface.
-
-
-### ✅ Argo CD Notifications
-
-[Argo CD Notifications](https://github.com/argoproj-labs/argocd-notifications) provides the ability to notify users about Argo CD Application
-changes as well as implement integrations such as update GitHub commit status, trigger Jenkins job, set Grafana label, etc.
-
-### ✅ Automated Registry Monitoring
-
-[Argo CD Image Updater](https://github.com/argoproj-labs/argocd-image-updater) provides an ability to monitor Docker registries and automatically
-update image versions in the deployment repository. See [https://github.com/argoproj/argo-cd/issues/1648](https://github.com/argoproj/argo-cd/issues/1648).
-
-
-### ✅ Projects Enhancements
-
-Argo CD projects accumulated a lot of debt:
-
-* Users don't know how to use project roles and SSO. It is one of the key features but not documented well. We need to document and promote it
-* Project management UI has evolved organically and needs a complete redesign. We packaged everything into one sliding panel which is painful to use
-* Enhancements: [#3598](https://github.com/argoproj/argo-cd/issues/3598)
+Releases are planned according to the [Release Process and Cadence](developer-guide/release-process-and-cadence.md) doc.

docs/snyk/index.md

@@ -13,51 +13,64 @@ recent minor releases.
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](master/argocd-test.html) | 0 | 0 | 1 | 0 |
-| [ui/yarn.lock](master/argocd-test.html) | 0 | 1 | 3 | 0 |
+| [go.mod](master/argocd-test.html) | 0 | 0 | 0 | 0 |
+| [ui/yarn.lock](master/argocd-test.html) | 0 | 0 | 0 | 0 |
 | [dex:v2.35.3](master/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
 | [haproxy:2.6.2-alpine](master/haproxy_2.6.2-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 2 | 13 |
-| [redis:7.0.5-alpine](master/redis_7.0.5-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:latest](master/quay.io_argoproj_argocd_latest.html) | 0 | 0 | 1 | 14 |
+| [redis:7.0.7-alpine](master/redis_7.0.7-alpine.html) | 0 | 0 | 0 | 0 |
 | [install.yaml](master/argocd-iac-install.html) | - | - | - | - |
 | [namespace-install.yaml](master/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v2.5.5
+### v2.6.0-rc7
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.5.5/argocd-test.html) | 0 | 0 | 4 | 0 |
-| [ui/yarn.lock](v2.5.5/argocd-test.html) | 0 | 1 | 3 | 0 |
-| [dex:v2.35.3](v2.5.5/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
-| [haproxy:2.6.2-alpine](v2.5.5/haproxy_2.6.2-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.5.5](v2.5.5/quay.io_argoproj_argocd_v2.5.5.html) | 0 | 0 | 2 | 13 |
-| [redis:7.0.5-alpine](v2.5.5/redis_7.0.5-alpine.html) | 0 | 0 | 0 | 0 |
-| [install.yaml](v2.5.5/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.5.5/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.6.0-rc7/argocd-test.html) | 0 | 0 | 0 | 0 |
+| [ui/yarn.lock](v2.6.0-rc7/argocd-test.html) | 0 | 0 | 1 | 0 |
+| [dex:v2.35.3](v2.6.0-rc7/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
+| [haproxy:2.6.2-alpine](v2.6.0-rc7/haproxy_2.6.2-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:v2.6.0-rc7](v2.6.0-rc7/quay.io_argoproj_argocd_v2.6.0-rc7.html) | 0 | 0 | 1 | 14 |
+| [redis:7.0.7-alpine](v2.6.0-rc7/redis_7.0.7-alpine.html) | 0 | 0 | 0 | 0 |
+| [install.yaml](v2.6.0-rc7/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.6.0-rc7/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v2.4.18
+### v2.5.10
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.4.18/argocd-test.html) | 0 | 1 | 4 | 0 |
-| [ui/yarn.lock](v2.4.18/argocd-test.html) | 0 | 1 | 3 | 0 |
-| [dex:v2.35.3](v2.4.18/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
-| [haproxy:2.0.29-alpine](v2.4.18/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd:v2.4.18](v2.4.18/quay.io_argoproj_argocd_v2.4.18.html) | 0 | 0 | 2 | 13 |
-| [redis:7.0.4-alpine](v2.4.18/redis_7.0.4-alpine.html) | 0 | 0 | 0 | 0 |
-| [install.yaml](v2.4.18/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.4.18/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.5.10/argocd-test.html) | 0 | 0 | 3 | 0 |
+| [ui/yarn.lock](v2.5.10/argocd-test.html) | 0 | 0 | 4 | 0 |
+| [dex:v2.35.3](v2.5.10/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
+| [haproxy:2.6.2-alpine](v2.5.10/haproxy_2.6.2-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:v2.5.10](v2.5.10/quay.io_argoproj_argocd_v2.5.10.html) | 0 | 0 | 1 | 14 |
+| [redis:7.0.7-alpine](v2.5.10/redis_7.0.7-alpine.html) | 0 | 0 | 0 | 0 |
+| [install.yaml](v2.5.10/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.5.10/argocd-iac-namespace-install.html) | - | - | - | - |
 
-### v2.3.12
+### v2.4.22
 
 |    | Critical | High | Medium | Low |
 |---:|:--------:|:----:|:------:|:---:|
-| [go.mod](v2.3.12/argocd-test.html) | 0 | 1 | 4 | 0 |
-| [ui/yarn.lock](v2.3.12/argocd-test.html) | 0 | 2 | 5 | 0 |
-| [dex:v2.35.3](v2.3.12/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
-| [haproxy:2.0.29-alpine](v2.3.12/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
-| [argocd-applicationset:v0.4.1](v2.3.12/quay.io_argoproj_argocd-applicationset_v0.4.1.html) | 0 | 4 | 38 | 29 |
-| [argocd:v2.3.12](v2.3.12/quay.io_argoproj_argocd_v2.3.12.html) | 0 | 0 | 2 | 13 |
-| [redis:6.2.7-alpine](v2.3.12/redis_6.2.7-alpine.html) | 0 | 0 | 0 | 0 |
-| [install.yaml](v2.3.12/argocd-iac-install.html) | - | - | - | - |
-| [namespace-install.yaml](v2.3.12/argocd-iac-namespace-install.html) | - | - | - | - |
+| [go.mod](v2.4.22/argocd-test.html) | 0 | 0 | 3 | 0 |
+| [ui/yarn.lock](v2.4.22/argocd-test.html) | 0 | 0 | 4 | 0 |
+| [dex:v2.35.3](v2.4.22/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
+| [haproxy:2.0.29-alpine](v2.4.22/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd:v2.4.22](v2.4.22/quay.io_argoproj_argocd_v2.4.22.html) | 0 | 0 | 1 | 14 |
+| [redis:7.0.7-alpine](v2.4.22/redis_7.0.7-alpine.html) | 0 | 0 | 0 | 0 |
+| [install.yaml](v2.4.22/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.4.22/argocd-iac-namespace-install.html) | - | - | - | - |
+
+### v2.3.16
+
+|    | Critical | High | Medium | Low |
+|---:|:--------:|:----:|:------:|:---:|
+| [go.mod](v2.3.16/argocd-test.html) | 0 | 0 | 3 | 0 |
+| [ui/yarn.lock](v2.3.16/argocd-test.html) | 0 | 2 | 6 | 0 |
+| [dex:v2.35.3](v2.3.16/ghcr.io_dexidp_dex_v2.35.3.html) | 0 | 0 | 0 | 0 |
+| [haproxy:2.0.29-alpine](v2.3.16/haproxy_2.0.29-alpine.html) | 0 | 0 | 0 | 0 |
+| [argocd-applicationset:v0.4.1](v2.3.16/quay.io_argoproj_argocd-applicationset_v0.4.1.html) | 0 | 4 | 38 | 29 |
+| [argocd:v2.3.16](v2.3.16/quay.io_argoproj_argocd_v2.3.16.html) | 0 | 0 | 1 | 14 |
+| [redis:6.2.8-alpine](v2.3.16/redis_6.2.8-alpine.html) | 0 | 0 | 0 | 0 |
+| [install.yaml](v2.3.16/argocd-iac-install.html) | - | - | - | - |
+| [namespace-install.yaml](v2.3.16/argocd-iac-namespace-install.html) | - | - | - | - |

docs/snyk/master/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:16:18 am</p>
+                <p class="timestamp">February 5th 2023, 12:17:50 am</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>
@@ -789,7 +789,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16343
+                              Line number: 16349
                           </li>
                       </ul>
               
@@ -905,7 +905,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 15979
+                              Line number: 15985
                           </li>
                       </ul>
               
@@ -963,7 +963,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 15945
+                              Line number: 15951
                           </li>
                       </ul>
               
@@ -1021,7 +1021,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16035
+                              Line number: 16041
                           </li>
                       </ul>
               
@@ -1079,7 +1079,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16109
+                              Line number: 16115
                           </li>
                       </ul>
               
@@ -1137,7 +1137,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16343
+                              Line number: 16349
                           </li>
                       </ul>
               
@@ -1195,7 +1195,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16165
+                              Line number: 16171
                           </li>
                       </ul>
               
@@ -1253,7 +1253,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16428
+                              Line number: 16434
                           </li>
                       </ul>
               
@@ -1311,7 +1311,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16732
+                              Line number: 16738
                           </li>
                       </ul>
               
@@ -1363,7 +1363,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 15959
+                              Line number: 15965
                           </li>
                       </ul>
               
@@ -1419,7 +1419,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16119
+                              Line number: 16125
                           </li>
                       </ul>
               
@@ -1523,7 +1523,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 15945
+                              Line number: 15951
                           </li>
                       </ul>
               
@@ -1575,7 +1575,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 15979
+                              Line number: 15985
                           </li>
                       </ul>
               
@@ -1627,7 +1627,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16109
+                              Line number: 16115
                           </li>
                       </ul>
               
@@ -1679,7 +1679,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16343
+                              Line number: 16349
                           </li>
                       </ul>
               
@@ -1795,7 +1795,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 15945
+                              Line number: 15951
                           </li>
                       </ul>
               
@@ -1853,7 +1853,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 15979
+                              Line number: 15985
                           </li>
                       </ul>
               
@@ -1911,7 +1911,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16035
+                              Line number: 16041
                           </li>
                       </ul>
               
@@ -1969,7 +1969,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16109
+                              Line number: 16115
                           </li>
                       </ul>
               
@@ -2027,7 +2027,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16343
+                              Line number: 16349
                           </li>
                       </ul>
               
@@ -2085,7 +2085,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16165
+                              Line number: 16171
                           </li>
                       </ul>
               
@@ -2143,7 +2143,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16428
+                              Line number: 16434
                           </li>
                       </ul>
               
@@ -2201,7 +2201,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 16732
+                              Line number: 16738
                           </li>
                       </ul>
               

docs/snyk/master/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:16:27 am</p>
+                <p class="timestamp">February 5th 2023, 12:17:58 am</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>
@@ -789,7 +789,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1153
                           </li>
                       </ul>
               
@@ -905,7 +905,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 783
+                              Line number: 789
                           </li>
                       </ul>
               
@@ -963,7 +963,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 749
+                              Line number: 755
                           </li>
                       </ul>
               
@@ -1021,7 +1021,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 839
+                              Line number: 845
                           </li>
                       </ul>
               
@@ -1079,7 +1079,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 913
+                              Line number: 919
                           </li>
                       </ul>
               
@@ -1137,7 +1137,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1153
                           </li>
                       </ul>
               
@@ -1195,7 +1195,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 969
+                              Line number: 975
                           </li>
                       </ul>
               
@@ -1253,7 +1253,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 1232
+                              Line number: 1238
                           </li>
                       </ul>
               
@@ -1311,7 +1311,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 1536
+                              Line number: 1542
                           </li>
                       </ul>
               
@@ -1363,7 +1363,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 763
+                              Line number: 769
                           </li>
                       </ul>
               
@@ -1419,7 +1419,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 923
+                              Line number: 929
                           </li>
                       </ul>
               
@@ -1523,7 +1523,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 749
+                              Line number: 755
                           </li>
                       </ul>
               
@@ -1575,7 +1575,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 783
+                              Line number: 789
                           </li>
                       </ul>
               
@@ -1627,7 +1627,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 913
+                              Line number: 919
                           </li>
                       </ul>
               
@@ -1679,7 +1679,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1153
                           </li>
                       </ul>
               
@@ -1795,7 +1795,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 749
+                              Line number: 755
                           </li>
                       </ul>
               
@@ -1853,7 +1853,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 783
+                              Line number: 789
                           </li>
                       </ul>
               
@@ -1911,7 +1911,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 839
+                              Line number: 845
                           </li>
                       </ul>
               
@@ -1969,7 +1969,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 913
+                              Line number: 919
                           </li>
                       </ul>
               
@@ -2027,7 +2027,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 1147
+                              Line number: 1153
                           </li>
                       </ul>
               
@@ -2085,7 +2085,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 969
+                              Line number: 975
                           </li>
                       </ul>
               
@@ -2143,7 +2143,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 1232
+                              Line number: 1238
                           </li>
                       </ul>
               
@@ -2201,7 +2201,7 @@
                           </li>
               
                           <li class="card__meta__item">
-                              Line number: 1536
+                              Line number: 1542
                           </li>
                       </ul>
               

docs/snyk/master/ghcr.io_dexidp_dex_v2.35.3.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="0 known vulnerabilities found in 0 vulnerable dependency paths.">
+  <meta name="description" content="3 known vulnerabilities found in 5 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,35 +456,258 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:14:17 am</p>
+                <p class="timestamp">February 5th 2023, 12:15:59 am</p>
               </div>
               <div class="source-panel">
-                <span>Scanned the following path:</span>
+                <span>Scanned the following paths:</span>
                 <ul>
-                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (apk)</li>
+                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (apk)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/hairyhenderson/gomplate/v3 (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (gomodules)</li>
                 </ul>
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>0</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>0 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>14</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>3</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>5 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>756</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
         </div><!-- .layout-stacked__header -->
-      <section class="layout-container">
-          <table class="metatable">
-              <tbody>
-              <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|ghcr.io/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr>
-              
-              </tbody>
-          </table>
-      </section>
+
     <div class="layout-container" style="padding-top: 35px;">
-      No known vulnerabilities detected.
+      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Improper Input Validation</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/text/language
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/text/language@v0.3.7
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/text/language@v0.3.7
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing <code>Accept-Language</code> headers.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/text/language</code> to version 0.3.8 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56152">GitHub Issue</a></li>
+        <li><a href="https://github.com/golang/text/releases/tag/v0.3.8">GitHub Release</a></li>
+        <li><a href="https://groups.google.com/g/golang-dev/c/qfPIly0X7aU">Google Groups Forum</a></li>
+        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2134010">RedHat Bugzilla Bug</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Incorrect Privilege Assignment</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/sys/unix
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the <code>Faccessat</code> function can incorrectly report that a file is accessible.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/sys/unix</code> to version 0.1.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/sys/commit/33da011f77ade50ff5b6a6fb4a9a1e6d6b285809">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/sys/releases/tag/v0.1.0">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXSYSUNIX-3310442">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/net/http2
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.</p>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.4.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://cs.opensource.google/go/x/net/+/1e63c2f08a10a150fa02c50ece89b340ae64efe4">Fix Commit</a></li>
+        <li><a href="https://go-review.googlesource.com/c/net/+/455635">Fix Commit</a></li>
+        <li><a href="https://github.com/golang/net/commit/1e63c2f08a10a150fa02c50ece89b340ae64efe4">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56350">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+      </div><!-- cards -->
     </div>
   </main><!-- .layout-stacked__content -->
 </body>

docs/snyk/master/haproxy_2.6.2-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:14:22 am</p>
+                <p class="timestamp">February 5th 2023, 12:16:03 am</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/master/quay.io_argoproj_argocd_latest.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="15 known vulnerabilities found in 91 vulnerable dependency paths.">
+  <meta name="description" content="21 known vulnerabilities found in 98 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,35 +456,260 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:14:47 am</p>
+                <p class="timestamp">February 5th 2023, 12:16:27 am</p>
               </div>
               <div class="source-panel">
-                <span>Scanned the following path:</span>
+                <span>Scanned the following paths:</span>
                 <ul>
-                  <li class="paths">quay.io/argoproj/argocd:latest/argoproj/argocd (deb)</li>
+                  <li class="paths">quay.io/argoproj/argocd:latest/argoproj/argocd (deb)</li><li class="paths">quay.io/argoproj/argocd:latest/argoproj/argo-cd/v2 (gomodules)</li><li class="paths">quay.io/argoproj/argocd:latest/kustomize/kustomize/v4 (gomodules)</li><li class="paths">quay.io/argoproj/argocd:latest/helm/v3 (gomodules)</li>
                 </ul>
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>15</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>91 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>162</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>21</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>98 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>2061</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
         </div><!-- .layout-stacked__header -->
-      <section class="layout-container">
-          <table class="metatable">
-              <tbody>
-              <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|quay.io/argoproj/argocd</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">quay.io/argoproj/argocd:latest/argoproj/argocd</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">deb</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Manifest</th> <td class="meta-row-value">Dockerfile</td></tr>
-              </tbody>
-          </table>
-      </section>
+
     <div class="layout-container" style="padding-top: 35px;">
       <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--high">
+                    <span class="label__text">high severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            gopkg.in/yaml.v3
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                sigs.k8s.io/kustomize/kustomize/v4@* and gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        sigs.k8s.io/kustomize/kustomize/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/go-yaml/yaml">gopkg.in/yaml.v3</a> is a YAML support package for the Go language.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) via the <code>Unmarshal</code> function, which causes the program to crash when attempting to deserialize invalid input.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">package main
+        
+        import (
+            &quot;gopkg.in/yaml.v3&quot;
+        )
+        
+        func main() {
+            var t interface{}
+            yaml.Unmarshal([]byte(&quot;0: [:!00 \xef&quot;), &amp;t)
+        }
+        </code></pre>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>gopkg.in/yaml.v3</code> to version 3.0.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/go-yaml/yaml/commit/8f96da9f5d5eff988554c1aae1784627c4bf6754">GitHub Commit</a></li>
+        <li><a href="https://github.com/go-yaml/yaml/issues/666">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2841557">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">NULL Pointer Dereference</h2>
+            <div class="card__section">
+        
+                <div class="label label--high">
+                    <span class="label__text">high severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            gopkg.in/yaml.v3
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                sigs.k8s.io/kustomize/kustomize/v4@* and gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        sigs.k8s.io/kustomize/kustomize/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        gopkg.in/yaml.v3@v3.0.0-20210107192922-496545a6307b
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://github.com/go-yaml/yaml">gopkg.in/yaml.v3</a> is a YAML support package for the Go language.</p>
+        <p>Affected versions of this package are vulnerable to NULL Pointer Dereference when parsing <code>#\n-\n-\n0</code> via the <code>parserc.go</code> parser.</p>
+        <h2 id="poc">PoC</h2>
+        <pre><code class="language-golang">package main
+        
+        import (
+            &quot;gopkg.in/yaml.v3&quot;
+        )
+        
+        func main() {
+            var t interface{}
+            yaml.Unmarshal([]byte(&quot;#\n-\n-\n0&quot;), &amp;t)
+        }
+        </code></pre>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>gopkg.in/yaml.v3</code> to version 3.0.1 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/go-yaml/yaml/commit/f6f7691b1fdeb513f56608cd2c32c51f8194bf51">GitHub Commit</a></li>
+        <li><a href="https://github.com/go-yaml/yaml/issues/665">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOPKGINYAMLV3-2952714">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--high" data-snyk-test="high">
+            <h2 class="card__title">Denial of Service</h2>
+            <div class="card__section">
+        
+                <div class="label label--high">
+                    <span class="label__text">high severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/net/http2
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        helm.sh/helm/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service as an <code>HTTP/2</code> connection can hang during closing if a shutdown was preempted by a fatal error.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.0.0-20220906165146-f3363e06e74c, 1.18.6, 1.19.1 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/net/commit/f3363e06e74cdc304618bf31d898b78590103527">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/54658">GitHub Issues</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3028257">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
             <h2 class="card__title">Off-by-one Error</h2>
             <div class="card__section">
@@ -635,7 +860,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>systemd</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>systemd</code> package and not the <code>systemd</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>An off-by-one Error issue was discovered in Systemd in format_timespan() function of time-util.c. An attacker could supply specific values for time and accuracy that leads to buffer overrun in format_timespan(), leading to a Denial of Service.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>systemd</code>.</p>
@@ -657,7 +883,7 @@
         
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
-            <h2 class="card__title">CVE-2022-46908</h2>
+            <h2 class="card__title">Improper Input Validation</h2>
             <div class="card__section">
         
                 <div class="label label--medium">
@@ -666,6 +892,228 @@
         
                 <hr/>
         
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/text/language
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                sigs.k8s.io/kustomize/kustomize/v4@* and golang.org/x/text/language@v0.3.7
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        sigs.k8s.io/kustomize/kustomize/v4@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/text/language@v0.3.7
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        helm.sh/helm/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/text/language@v0.3.7
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing <code>Accept-Language</code> headers.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/text/language</code> to version 0.3.8 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56152">GitHub Issue</a></li>
+        <li><a href="https://github.com/golang/text/releases/tag/v0.3.8">GitHub Release</a></li>
+        <li><a href="https://groups.google.com/g/golang-dev/c/qfPIly0X7aU">Google Groups Forum</a></li>
+        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2134010">RedHat Bugzilla Bug</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Incorrect Privilege Assignment</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/sys/unix
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                helm.sh/helm/v3@* and golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        helm.sh/helm/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220722155257-8c9f86f7a55f
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the <code>Faccessat</code> function can incorrectly report that a file is accessible.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/sys/unix</code> to version 0.1.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/sys/commit/33da011f77ade50ff5b6a6fb4a9a1e6d6b285809">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/sys/releases/tag/v0.1.0">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXSYSUNIX-3310442">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/net/http2
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                helm.sh/helm/v3@* and golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        helm.sh/helm/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220722155237-a158d28d115b
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.</p>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.4.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://cs.opensource.google/go/x/net/+/1e63c2f08a10a150fa02c50ece89b340ae64efe4">Fix Commit</a></li>
+        <li><a href="https://go-review.googlesource.com/c/net/+/455635">Fix Commit</a></li>
+        <li><a href="https://github.com/golang/net/commit/1e63c2f08a10a150fa02c50ece89b340ae64efe4">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56350">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
+            <h2 class="card__title">CVE-2022-46908</h2>
+            <div class="card__section">
+        
+                <div class="label label--low">
+                    <span class="label__text">low severity</span>
+                </div>
+        
+                <hr/>
+        
                 <ul class="card__meta">
                     <li class="card__meta__item">
                         Package Manager: ubuntu:22.04
@@ -707,7 +1155,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>sqlite3</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>sqlite3</code> package and not the <code>sqlite3</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>sqlite3</code>.</p>
@@ -786,7 +1235,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>pcre3</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>pcre3</code> package and not the <code>pcre3</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>In PCRE 8.41, the OP_KETRMAX feature in the match function in pcre_exec.c allows stack exhaustion (uncontrolled recursion) when processing a crafted regular expression.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>pcre3</code>.</p>
@@ -856,7 +1306,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>patch</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>An Invalid Pointer vulnerability exists in GNU patch 2.7 via the another_hunk function, which causes a Denial of Service.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>patch</code>.</p>
@@ -922,7 +1373,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>patch</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>patch</code> package and not the <code>patch</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>A double free exists in the another_hunk function in pch.c in GNU patch through 2.7.6.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>patch</code>.</p>
@@ -990,7 +1442,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1
+                                        cyrus-sasl2/libsasl2-modules@2.1.27+dfsg2-3ubuntu1.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         openssl/libssl3@3.0.2-0ubuntu1.7
                                         
@@ -1012,7 +1464,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:8.9p1-3
+                                        openssh/openssh-client@1:8.9p1-3ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         openssl/libssl3@3.0.2-0ubuntu1.7
                                         
@@ -1036,9 +1488,9 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                          <span class="list-paths__item__arrow">›</span> 
-                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.6
+                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.7
                                          <span class="list-paths__item__arrow">›</span> 
                                         libssh/libssh-4@0.9.6-2build1
                                          <span class="list-paths__item__arrow">›</span> 
@@ -1055,15 +1507,15 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         shadow/passwd@1:4.8.1-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        pam/libpam-modules@1.4.0-11ubuntu2
+                                        pam/libpam-modules@1.4.0-11ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         libnsl/libnsl2@1.3.0-2build2
                                          <span class="list-paths__item__arrow">›</span> 
                                         libtirpc/libtirpc3@1.3.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libkrb5-3@1.19.2-2
+                                        krb5/libkrb5-3@1.19.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         openssl/libssl3@3.0.2-0ubuntu1.7
                                         
@@ -1097,7 +1549,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>openssl</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssl</code> package and not the <code>openssl</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. Policy processing is enabled by passing the <code>-policy&amp;#39; argument to the command line utilities or by calling either </code>X509_VERIFY_PARAM_add0_policy()&#39; or `X509_VERIFY_PARAM_set1_policies()&#39; functions.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>openssl</code>.</p>
@@ -1116,7 +1569,7 @@
         
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
-            <h2 class="card__title">CVE-2021-41617</h2>
+            <h2 class="card__title">Improper Privilege Management</h2>
             <div class="card__section">
         
                 <div class="label label--low">
@@ -1137,7 +1590,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3
+                                docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3ubuntu0.1
         
                     </li>
                 </ul>
@@ -1152,7 +1605,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:8.9p1-3
+                                        openssh/openssh-client@1:8.9p1-3ubuntu0.1
                                         
                                 </span>
         
@@ -1164,7 +1617,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>openssh</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssh</code> package and not the <code>openssh</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>sshd in OpenSSH 6.2 through 8.x before 8.8, when certain non-default configurations are used, allows privilege escalation because supplemental groups are not initialized as expected. Helper programs for AuthorizedKeysCommand and AuthorizedPrincipalsCommand may run with privileges associated with group memberships of the sshd process, if the configuration specifies running the command as a different user.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>openssh</code>.</p>
@@ -1213,7 +1667,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3
+                                docker-image|quay.io/argoproj/argocd@latest and openssh/openssh-client@1:8.9p1-3ubuntu0.1
         
                     </li>
                 </ul>
@@ -1228,7 +1682,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:8.9p1-3
+                                        openssh/openssh-client@1:8.9p1-3ubuntu0.1
                                         
                                 </span>
         
@@ -1240,7 +1694,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>openssh</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>openssh</code> package and not the <code>openssh</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>The client side in OpenSSH 5.7 through 8.4 has an Observable Discrepancy leading to an information leak in the algorithm negotiation. This allows man-in-the-middle attackers to target initial connection attempts (where no host key for the server has been cached by the client). NOTE: some reports state that 8.5 and 8.6 are also affected.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>openssh</code>.</p>
@@ -1504,7 +1959,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>ncurses</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>ncurses</code> package and not the <code>ncurses</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>ncurses 6.3 before patch 20220416 has an out-of-bounds read and segmentation violation in convert_strings in tinfo/read_entry.c in the terminfo library.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>ncurses</code>.</p>
@@ -1547,7 +2003,7 @@
         
                     <li class="card__meta__item">Introduced through:
         
-                                docker-image|quay.io/argoproj/argocd@latest and krb5/libk5crypto3@1.19.2-2
+                                docker-image|quay.io/argoproj/argocd@latest and krb5/libk5crypto3@1.19.2-2ubuntu0.1
         
                     </li>
                 </ul>
@@ -1562,7 +2018,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libk5crypto3@1.19.2-2
+                                        krb5/libk5crypto3@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1575,15 +2031,15 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         shadow/passwd@1:4.8.1-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        pam/libpam-modules@1.4.0-11ubuntu2
+                                        pam/libpam-modules@1.4.0-11ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         libnsl/libnsl2@1.3.0-2build2
                                          <span class="list-paths__item__arrow">›</span> 
                                         libtirpc/libtirpc3@1.3.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libk5crypto3@1.19.2-2
+                                        krb5/libk5crypto3@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1596,17 +2052,17 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         shadow/passwd@1:4.8.1-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        pam/libpam-modules@1.4.0-11ubuntu2
+                                        pam/libpam-modules@1.4.0-11ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         libnsl/libnsl2@1.3.0-2build2
                                          <span class="list-paths__item__arrow">›</span> 
                                         libtirpc/libtirpc3@1.3.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libkrb5-3@1.19.2-2
+                                        krb5/libkrb5-3@1.19.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libk5crypto3@1.19.2-2
+                                        krb5/libk5crypto3@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1615,7 +2071,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libkrb5-3@1.19.2-2
+                                        krb5/libkrb5-3@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1628,15 +2084,15 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         shadow/passwd@1:4.8.1-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        pam/libpam-modules@1.4.0-11ubuntu2
+                                        pam/libpam-modules@1.4.0-11ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         libnsl/libnsl2@1.3.0-2build2
                                          <span class="list-paths__item__arrow">›</span> 
                                         libtirpc/libtirpc3@1.3.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libkrb5-3@1.19.2-2
+                                        krb5/libkrb5-3@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1645,7 +2101,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1654,9 +2110,9 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        openssh/openssh-client@1:8.9p1-3
+                                        openssh/openssh-client@1:8.9p1-3ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1665,11 +2121,11 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                          <span class="list-paths__item__arrow">›</span> 
-                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.6
+                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.7
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1678,13 +2134,13 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                          <span class="list-paths__item__arrow">›</span> 
-                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.6
+                                        curl/libcurl3-gnutls@7.81.0-1ubuntu1.7
                                          <span class="list-paths__item__arrow">›</span> 
                                         libssh/libssh-4@0.9.6-2build1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1697,13 +2153,13 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         shadow/passwd@1:4.8.1-2ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        pam/libpam-modules@1.4.0-11ubuntu2
+                                        pam/libpam-modules@1.4.0-11ubuntu2.1
                                          <span class="list-paths__item__arrow">›</span> 
                                         libnsl/libnsl2@1.3.0-2build2
                                          <span class="list-paths__item__arrow">›</span> 
                                         libtirpc/libtirpc3@1.3.2-2ubuntu0.1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libgssapi-krb5-2@1.19.2-2
+                                        krb5/libgssapi-krb5-2@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1714,7 +2170,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         meta-common-packages@meta
                                          <span class="list-paths__item__arrow">›</span> 
-                                        krb5/libkrb5support0@1.19.2-2
+                                        krb5/libkrb5support0@1.19.2-2ubuntu0.1
                                         
                                 </span>
         
@@ -1726,7 +2182,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>krb5</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>krb5</code> package and not the <code>krb5</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable &#34;dbentry-&gt;n_key_data&#34; in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a &#34;u4&#34; variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>krb5</code>.</p>
@@ -2174,7 +2631,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>glibc</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>glibc</code> package and not the <code>glibc</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>sha256crypt and sha512crypt through 0.6 allow attackers to cause a denial of service (CPU consumption) because the algorithm&#39;s runtime is proportional to the square of the length of the password.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>glibc</code>.</p>
@@ -2216,7 +2674,7 @@
                     <li class="card__meta__item">Introduced through:
         
         
-                                    docker-image|quay.io/argoproj/argocd@latest, git@1:2.34.1-1ubuntu1.5 and others
+                                    docker-image|quay.io/argoproj/argocd@latest, git@1:2.34.1-1ubuntu1.6 and others
                     </li>
                 </ul>
         
@@ -2230,9 +2688,9 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                          <span class="list-paths__item__arrow">›</span> 
-                                        git/git-man@1:2.34.1-1ubuntu1.5
+                                        git/git-man@1:2.34.1-1ubuntu1.6
                                         
                                 </span>
         
@@ -2241,7 +2699,7 @@
                                 <span class="list-paths__item__introduced"><em>Introduced through</em>:
                                         docker-image|quay.io/argoproj/argocd@latest
                                          <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                         
                                 </span>
         
@@ -2252,7 +2710,7 @@
                                          <span class="list-paths__item__arrow">›</span> 
                                         git-lfs@3.0.2-1
                                          <span class="list-paths__item__arrow">›</span> 
-                                        git@1:2.34.1-1ubuntu1.5
+                                        git@1:2.34.1-1ubuntu1.6
                                         
                                 </span>
         
@@ -2264,7 +2722,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>git</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>git</code> package and not the <code>git</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>GIT version 2.15.1 and earlier contains a Input Validation Error vulnerability in Client that can result in problems including messing up terminal configuration to RCE. This attack appear to be exploitable via The user must interact with a malicious git server, (or have their traffic modified in a MITM attack).</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>git</code>.</p>
@@ -2331,7 +2790,8 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply to the upstream <code>coreutils</code> package.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>coreutils</code> package and not the <code>coreutils</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
         <p>chroot in GNU coreutils, when used with --userspec, allows local users to escape to the parent session via a crafted TIOCSTI ioctl call, which pushes characters to the terminal&#39;s input buffer.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>coreutils</code>.</p>
@@ -2352,7 +2812,7 @@
         
         </div><!-- .card -->
         <div class="card card--vuln  disclosure--not-new severity--low" data-snyk-test="low">
-            <h2 class="card__title">CVE-2022-3715</h2>
+            <h2 class="card__title">Out-of-bounds Write</h2>
             <div class="card__section">
         
                 <div class="label label--low">
@@ -2400,12 +2860,15 @@
               <hr/>
               <!-- Overview -->
               <h2 id="nvd-description">NVD Description</h2>
-        <p><em>This vulnerability has not been analyzed by NVD yet.</em></p>
+        <p><strong><em>Note:</em></strong> <em>Versions mentioned in the description apply only to the upstream <code>bash</code> package and not the <code>bash</code> package as distributed by <code>Ubuntu:22.04</code>.</em>
+        <em>See <code>How to fix?</code> for <code>Ubuntu:22.04</code> relevant fixed versions and status.</em></p>
+        <p>A flaw was found in the bash package, where a heap-buffer overflow can occur in valid parameter_transform. This issue may lead to memory problems.</p>
         <h2 id="remediation">Remediation</h2>
         <p>There is no fixed version for <code>Ubuntu:22.04</code> <code>bash</code>.</p>
         <h2 id="references">References</h2>
         <ul>
         <li><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2022-3715">ADVISORY</a></li>
+        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2126720">MISC</a></li>
         </ul>
         
               <hr/>

docs/snyk/master/redis_7.0.7-alpine.html

@@ -456,12 +456,12 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:14:52 am</p>
+                <p class="timestamp">February 5th 2023, 12:16:33 am</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>
                 <ul>
-                  <li class="paths">redis:7.0.5-alpine (apk)</li>
+                  <li class="paths">redis:7.0.7-alpine (apk)</li>
                 </ul>
               </div>
     
@@ -477,7 +477,7 @@
           <table class="metatable">
               <tbody>
               <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|redis</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">redis:7.0.5-alpine</td></tr>
+              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">redis:7.0.7-alpine</td></tr>
               <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr>
               
               </tbody>

docs/snyk/v2.3.16/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:21:52 am</p>
+                <p class="timestamp">February 5th 2023, 12:26:03 am</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.3.16/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:22:24 am</p>
+                <p class="timestamp">February 5th 2023, 12:26:34 am</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.3.16/ghcr.io_dexidp_dex_v2.35.3.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="0 known vulnerabilities found in 0 vulnerable dependency paths.">
+  <meta name="description" content="3 known vulnerabilities found in 5 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,35 +456,258 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:18:38 am</p>
+                <p class="timestamp">February 5th 2023, 12:24:21 am</p>
               </div>
               <div class="source-panel">
-                <span>Scanned the following path:</span>
+                <span>Scanned the following paths:</span>
                 <ul>
-                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (apk)</li>
+                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (apk)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/hairyhenderson/gomplate/v3 (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (gomodules)</li>
                 </ul>
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>0</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>0 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>14</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>3</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>5 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>756</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
         </div><!-- .layout-stacked__header -->
-      <section class="layout-container">
-          <table class="metatable">
-              <tbody>
-              <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|ghcr.io/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr>
-              
-              </tbody>
-          </table>
-      </section>
+
     <div class="layout-container" style="padding-top: 35px;">
-      No known vulnerabilities detected.
+      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Improper Input Validation</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/text/language
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/text/language@v0.3.7
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/text/language@v0.3.7
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing <code>Accept-Language</code> headers.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/text/language</code> to version 0.3.8 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56152">GitHub Issue</a></li>
+        <li><a href="https://github.com/golang/text/releases/tag/v0.3.8">GitHub Release</a></li>
+        <li><a href="https://groups.google.com/g/golang-dev/c/qfPIly0X7aU">Google Groups Forum</a></li>
+        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2134010">RedHat Bugzilla Bug</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Incorrect Privilege Assignment</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/sys/unix
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the <code>Faccessat</code> function can incorrectly report that a file is accessible.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/sys/unix</code> to version 0.1.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/sys/commit/33da011f77ade50ff5b6a6fb4a9a1e6d6b285809">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/sys/releases/tag/v0.1.0">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXSYSUNIX-3310442">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/net/http2
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.</p>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.4.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://cs.opensource.google/go/x/net/+/1e63c2f08a10a150fa02c50ece89b340ae64efe4">Fix Commit</a></li>
+        <li><a href="https://go-review.googlesource.com/c/net/+/455635">Fix Commit</a></li>
+        <li><a href="https://github.com/golang/net/commit/1e63c2f08a10a150fa02c50ece89b340ae64efe4">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56350">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+      </div><!-- cards -->
     </div>
   </main><!-- .layout-stacked__content -->
 </body>

docs/snyk/v2.3.16/haproxy_2.0.29-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:18:42 am</p>
+                <p class="timestamp">February 5th 2023, 12:24:24 am</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v2.3.16/redis_6.2.8-alpine.html

@@ -456,12 +456,12 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:17:16 am</p>
+                <p class="timestamp">February 5th 2023, 12:25:18 am</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>
                 <ul>
-                  <li class="paths">redis:7.0.5-alpine (apk)</li>
+                  <li class="paths">redis:6.2.8-alpine (apk)</li>
                 </ul>
               </div>
     
@@ -477,7 +477,7 @@
           <table class="metatable">
               <tbody>
               <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|redis</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">redis:7.0.5-alpine</td></tr>
+              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">redis:6.2.8-alpine</td></tr>
               <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr>
               
               </tbody>

docs/snyk/v2.4.22/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:19:52 am</p>
+                <p class="timestamp">February 5th 2023, 12:23:47 am</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.4.22/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:20:00 am</p>
+                <p class="timestamp">February 5th 2023, 12:23:55 am</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.4.22/ghcr.io_dexidp_dex_v2.35.3.html

@@ -7,7 +7,7 @@
   <meta name="viewport" content="width=device-width, initial-scale=1.0">
   <meta http-equiv="X-UA-Compatible" content="IE=edge">
   <title>Snyk test report</title>
-  <meta name="description" content="0 known vulnerabilities found in 0 vulnerable dependency paths.">
+  <meta name="description" content="3 known vulnerabilities found in 5 vulnerable dependency paths.">
   <base target="_blank">
   <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
     sizes="194x194">
@@ -456,35 +456,258 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:16:55 am</p>
+                <p class="timestamp">February 5th 2023, 12:22:31 am</p>
               </div>
               <div class="source-panel">
-                <span>Scanned the following path:</span>
+                <span>Scanned the following paths:</span>
                 <ul>
-                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (apk)</li>
+                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (apk)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/hairyhenderson/gomplate/v3 (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (gomodules)</li>
                 </ul>
               </div>
     
               <div class="meta-counts">
-                <div class="meta-count"><span>0</span> <span>known vulnerabilities</span></div>
-                <div class="meta-count"><span>0 vulnerable dependency paths</span></div>
-                <div class="meta-count"><span>14</span> <span>dependencies</span></div>
+                <div class="meta-count"><span>3</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>5 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>756</span> <span>dependencies</span></div>
               </div><!-- .meta-counts -->
             </div><!-- .layout-container--short -->
           </header><!-- .project__header -->
         </div><!-- .layout-stacked__header -->
-      <section class="layout-container">
-          <table class="metatable">
-              <tbody>
-              <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|ghcr.io/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr>
-              
-              </tbody>
-          </table>
-      </section>
+
     <div class="layout-container" style="padding-top: 35px;">
-      No known vulnerabilities detected.
+      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Improper Input Validation</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/text/language
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/text/language@v0.3.7
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/text/language@v0.3.7
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing <code>Accept-Language</code> headers.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/text/language</code> to version 0.3.8 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56152">GitHub Issue</a></li>
+        <li><a href="https://github.com/golang/text/releases/tag/v0.3.8">GitHub Release</a></li>
+        <li><a href="https://groups.google.com/g/golang-dev/c/qfPIly0X7aU">Google Groups Forum</a></li>
+        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2134010">RedHat Bugzilla Bug</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Incorrect Privilege Assignment</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/sys/unix
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the <code>Faccessat</code> function can incorrectly report that a file is accessible.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/sys/unix</code> to version 0.1.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/sys/commit/33da011f77ade50ff5b6a6fb4a9a1e6d6b285809">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/sys/releases/tag/v0.1.0">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXSYSUNIX-3310442">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/net/http2
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.</p>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.4.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://cs.opensource.google/go/x/net/+/1e63c2f08a10a150fa02c50ece89b340ae64efe4">Fix Commit</a></li>
+        <li><a href="https://go-review.googlesource.com/c/net/+/455635">Fix Commit</a></li>
+        <li><a href="https://github.com/golang/net/commit/1e63c2f08a10a150fa02c50ece89b340ae64efe4">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56350">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+      </div><!-- cards -->
     </div>
   </main><!-- .layout-stacked__content -->
 </body>

docs/snyk/v2.4.22/haproxy_2.0.29-alpine.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:20:20 am</p>
+                <p class="timestamp">February 5th 2023, 12:22:36 am</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>

docs/snyk/v2.4.22/redis_7.0.7-alpine.html

@@ -456,12 +456,12 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:21:05 am</p>
+                <p class="timestamp">February 5th 2023, 12:22:59 am</p>
               </div>
               <div class="source-panel">
                 <span>Scanned the following path:</span>
                 <ul>
-                  <li class="paths">redis:6.2.7-alpine (apk)</li>
+                  <li class="paths">redis:7.0.7-alpine (apk)</li>
                 </ul>
               </div>
     
@@ -477,7 +477,7 @@
           <table class="metatable">
               <tbody>
               <tr class="meta-row"><th class="meta-row-label">Project</th> <td class="meta-row-value">docker-image|redis</td></tr>
-              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">redis:6.2.7-alpine</td></tr>
+              <tr class="meta-row"><th class="meta-row-label">Path</th> <td class="meta-row-value">redis:7.0.7-alpine</td></tr>
               <tr class="meta-row"><th class="meta-row-label">Package Manager</th> <td class="meta-row-value">apk</td></tr>
               
               </tbody>

docs/snyk/v2.5.10/argocd-iac-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:18:08 am</p>
+                <p class="timestamp">February 5th 2023, 12:21:54 am</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.5.10/argocd-iac-namespace-install.html

@@ -456,7 +456,7 @@
               <div class="header-wrap">
                   <h1 class="project__header__title">Snyk test report</h1>
     
-                <p class="timestamp">December 18th 2022, 12:18:17 am</p>
+                <p class="timestamp">February 5th 2023, 12:22:05 am</p>
               </div>
                 <div class="source-panel">
                   <span>Scanned the following path:</span>

docs/snyk/v2.5.10/ghcr.io_dexidp_dex_v2.35.3.html

@@ -0,0 +1,715 @@
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+  <meta http-equiv="Content-type" content="text/html; charset=utf-8">
+  <meta http-equiv="Content-Language" content="en-us">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta http-equiv="X-UA-Compatible" content="IE=edge">
+  <title>Snyk test report</title>
+  <meta name="description" content="3 known vulnerabilities found in 5 vulnerable dependency paths.">
+  <base target="_blank">
+  <link rel="icon" type="image/png" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.png"
+    sizes="194x194">
+  <link rel="shortcut icon" href="https://res.cloudinary.com/snyk/image/upload/v1468845142/favicon/favicon.ico">
+  <style type="text/css">
+  
+    body {
+      -moz-font-feature-settings: "pnum";
+      -webkit-font-feature-settings: "pnum";
+      font-variant-numeric: proportional-nums;
+      display: flex;
+      flex-direction: column;
+      font-feature-settings: "pnum";
+      font-size: 100%;
+      line-height: 1.5;
+      min-height: 100vh;
+      -webkit-text-size-adjust: 100%;
+      margin: 0;
+      padding: 0;
+      background-color: #F5F5F5;
+      font-family: 'Arial', 'Helvetica', Calibri, sans-serif;
+    }
+  
+    h1,
+    h2,
+    h3,
+    h4,
+    h5,
+    h6 {
+      font-weight: 500;
+    }
+  
+    a,
+    a:link,
+    a:visited {
+      border-bottom: 1px solid #4b45a9;
+      text-decoration: none;
+      color: #4b45a9;
+    }
+  
+    a:hover,
+    a:focus,
+    a:active {
+      border-bottom: 1px solid #4b45a9;
+    }
+  
+    hr {
+      border: none;
+      margin: 1em 0;
+      border-top: 1px solid #c5c5c5;
+    }
+  
+    ul {
+      padding: 0 1em;
+      margin: 1em 0;
+    }
+  
+    code {
+      background-color: #EEE;
+      color: #333;
+      padding: 0.25em 0.5em;
+      border-radius: 0.25em;
+    }
+  
+    pre {
+      background-color: #333;
+      font-family: monospace;
+      padding: 0.5em 1em 0.75em;
+      border-radius: 0.25em;
+      font-size: 14px;
+    }
+  
+    pre code {
+      padding: 0;
+      background-color: transparent;
+      color: #fff;
+    }
+  
+    a code {
+      border-radius: .125rem .125rem 0 0;
+      padding-bottom: 0;
+      color: #4b45a9;
+    }
+  
+    a[href^="http://"]:after,
+    a[href^="https://"]:after {
+      background-image: linear-gradient(transparent,transparent),url("data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%20112%20109%22%3E%3Cg%20id%3D%22Page-1%22%20fill%3D%22none%22%20fill-rule%3D%22evenodd%22%3E%3Cg%20id%3D%22link-external%22%3E%3Cg%20id%3D%22arrow%22%3E%3Cpath%20id%3D%22Line%22%20stroke%3D%22%234B45A9%22%20stroke-width%3D%2215%22%20d%3D%22M88.5%2021l-43%2042.5%22%20stroke-linecap%3D%22square%22%2F%3E%3Cpath%20id%3D%22Triangle%22%20fill%3D%22%234B45A9%22%20d%3D%22M111.2%200v50L61%200z%22%2F%3E%3C%2Fg%3E%3Cpath%20id%3D%22square%22%20fill%3D%22%234B45A9%22%20d%3D%22M66%2015H0v94h94V44L79%2059v35H15V30h36z%22%2F%3E%3C%2Fg%3E%3C%2Fg%3E%3C%2Fsvg%3E");
+      background-repeat: no-repeat;
+      background-size: .75rem;
+      content: "";
+      display: inline-block;
+      height: .75rem;
+      margin-left: .25rem;
+      width: .75rem;
+    }
+  
+  
+  /* Layout */
+  
+    [class*=layout-container] {
+      margin: 0 auto;
+      max-width: 71.25em;
+      padding: 1.9em 1.3em;
+      position: relative;
+    }
+    .layout-container--short {
+      padding-top: 0;
+      padding-bottom: 0;
+      max-width: 48.75em;
+    }
+  
+    .layout-container--short:after {
+      display: block;
+      content: "";
+      clear: both;
+    }
+  
+  /* Header */
+  
+    .header {
+      padding-bottom: 1px;
+    }
+  
+    .paths {
+      margin-left: 8px;
+    }
+    .header-wrap {
+      display: flex;
+      flex-direction: row;
+      justify-content: space-between;
+      padding-top: 2em;
+    }
+    .project__header {
+      background-color: #4b45a9;
+      color: #fff;
+      margin-bottom: -1px;
+      padding-top: 1em;
+      padding-bottom: 0.25em;
+      border-bottom: 2px solid #BBB;
+    }
+  
+    .project__header__title {
+      overflow-wrap: break-word;
+      word-wrap: break-word;
+      word-break: break-all;
+      margin-bottom: .1em;
+      margin-top: 0;
+    }
+  
+    .timestamp {
+      float: right;
+      clear: none;
+      margin-bottom: 0;
+    }
+  
+    .meta-counts {
+      clear: both;
+      display: block;
+      flex-wrap: wrap;
+      justify-content: space-between;
+      margin: 0 0 1.5em;
+      color: #fff;
+      clear: both;
+      font-size: 1.1em;
+    }
+  
+    .meta-count {
+      display: block;
+      flex-basis: 100%;
+      margin: 0 1em 1em 0;
+      float: left;
+      padding-right: 1em;
+      border-right: 2px solid #fff;
+    }
+  
+    .meta-count:last-child {
+      border-right: 0;
+      padding-right: 0;
+      margin-right: 0;
+    }
+  
+  /* Card */
+  
+    .card {
+      background-color: #fff;
+      border: 1px solid #c5c5c5;
+      border-radius: .25rem;
+      margin: 0 0 2em 0;
+      position: relative;
+      min-height: 40px;
+      padding: 1.5em;
+    }
+  
+    .card .label {
+      background-color: #767676;
+      border: 2px solid #767676;
+      color: white;
+      padding: 0.25rem 0.75rem;
+      font-size: 0.875rem;
+      text-transform: uppercase;
+      display: inline-block;
+      margin: 0;
+      border-radius: 0.25rem;
+    }
+  
+    .card .label__text {
+      vertical-align: text-top;
+        font-weight: bold;
+    }
+  
+    .card .label--critical {
+      background-color: #AB1A1A;
+      border-color: #AB1A1A;
+    }
+  
+    .card .label--high {
+      background-color: #CE5019;
+      border-color: #CE5019;
+    }
+  
+    .card .label--medium {
+      background-color: #D68000;
+      border-color: #D68000;
+    }
+  
+    .card .label--low {
+      background-color: #88879E;
+      border-color: #88879E;
+    }
+  
+    .severity--low {
+      border-color: #88879E;
+    }
+  
+    .severity--medium {
+      border-color: #D68000;
+    }
+  
+    .severity--high {
+      border-color: #CE5019;
+    }
+  
+    .severity--critical {
+      border-color: #AB1A1A;
+    }
+  
+    .card--vuln {
+      padding-top: 4em;
+    }
+  
+    .card--vuln .label {
+      left: 0;
+      position: absolute;
+      top: 1.1em;
+      padding-left: 1.9em;
+      padding-right: 1.9em;
+      border-radius: 0 0.25rem 0.25rem 0;
+    }
+  
+    .card--vuln .card__section h2 {
+      font-size: 22px;
+      margin-bottom: 0.5em;
+    }
+  
+    .card--vuln .card__section p {
+      margin: 0 0 0.5em 0;
+    }
+  
+    .card--vuln .card__meta {
+      padding: 0 0 0 1em;
+      margin: 0;
+      font-size: 1.1em;
+    }
+  
+    .card .card__meta__paths {
+      font-size: 0.9em;
+    }
+  
+    .card--vuln .card__title {
+      font-size: 28px;
+      margin-top: 0;
+    }
+  
+    .card--vuln .card__cta p {
+      margin: 0;
+      text-align: right;
+    }
+  
+    .source-panel {
+      clear: both;
+      display: flex;
+      justify-content: flex-start;
+      flex-direction: column;
+      align-items: flex-start;
+      padding: 0.5em 0;
+      width: fit-content;
+    }
+  
+  
+  
+  </style>
+  <style type="text/css">
+    .metatable {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      margin: 0;
+      outline: none;
+      padding: 0;
+      text-align: left;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+      margin-top: 12px;
+      border-collapse: collapse;
+      border-spacing: 0;
+      font-variant-numeric: tabular-nums;
+      max-width: 51.75em;
+    }
+  
+    tbody {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      margin: 0;
+      outline: none;
+      padding: 0;
+      text-align: left;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+      display: flex;
+      flex-wrap: wrap;
+    }
+  
+    .meta-row {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      outline: none;
+      text-align: left;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+      display: flex;
+      align-items: start;
+      border-top: 1px solid #d3d3d9;
+      padding: 8px 0 0 0;
+      border-bottom: none;
+      margin: 8px;
+      width: 47.75%;
+    }
+  
+    .meta-row-label {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      color: #4c4a73;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      margin: 0;
+      outline: none;
+      text-decoration: none;
+      z-index: auto;
+      align-self: start;
+      flex: 1;
+      font-size: 1rem;
+      line-height: 1.5rem;
+      padding: 0;
+      text-align: left;
+      vertical-align: top;
+      text-transform: none;
+      letter-spacing: 0;
+    }
+  
+    .meta-row-value {
+      text-size-adjust: 100%;
+      -webkit-font-smoothing: antialiased;
+      -webkit-box-direction: normal;
+      color: inherit;
+      font-feature-settings: "pnum";
+      border-collapse: collapse;
+      border-spacing: 0;
+      word-break: break-word;
+      box-sizing: border-box;
+      background: transparent;
+      border: 0;
+      font: inherit;
+      font-size: 100%;
+      margin: 0;
+      outline: none;
+      padding: 0;
+      text-align: right;
+      text-decoration: none;
+      vertical-align: baseline;
+      z-index: auto;
+    }
+  </style>
+</head>
+
+<body class="section-projects">
+  <main class="layout-stacked">
+        <div class="layout-stacked__header header">
+          <header class="project__header">
+            <div class="layout-container">
+              <a class="brand" href="https://snyk.io" title="Snyk">
+                <svg width="68px" height="35px" viewBox="0 0 68 35" version="1.1" xmlns="http://www.w3.org/2000/svg" role="img">
+                  <title>Snyk - Open Source Security</title>
+                  <g stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+                    <g fill="#fff">
+                      <path d="M5.732,27.278 C3.445,27.278 1.589,26.885 0,26.124 L0.483,22.472 C2.163,23.296 4.056,23.689 5.643,23.689 C6.801,23.689 7.563,23.295 7.563,22.599 C7.563,20.594 0.333,21.076 0.333,15.839 C0.333,12.491 3.407,10.729 7.259,10.729 C9.179,10.729 11.161,11.249 12.444,11.704 L11.924,15.294 C10.577,14.774 8.747,14.291 7.222,14.291 C6.282,14.291 5.518,14.621 5.518,15.231 C5.518,17.208 12.903,16.815 12.903,21.925 C12.903,25.325 9.877,27.277 5.733,27.277 L5.732,27.278 Z M25.726,26.936 L25.726,17.894 C25.726,15.827 24.811,14.85 23.069,14.85 C22.219,14.85 21.329,15.09 20.719,15.46 L20.719,26.936 L15.352,26.936 L15.352,11.262 L20.602,10.83 L20.474,13.392 L20.652,13.392 C21.784,11.87 23.702,10.716 25.992,10.716 C28.736,10.716 31.112,12.416 31.112,16.436 L31.112,26.936 L25.724,26.936 L25.726,26.936 Z M61.175,26.936 L56.879,19.479 L56.446,19.479 L56.446,26.935 L51.082,26.935 L51.082,8.37 L56.447,0 L56.447,17.323 C57.515,16.017 61.112,11.059 61.112,11.059 L67.732,11.059 L61.454,17.689 L67.949,26.95 L61.175,26.95 L61.175,26.938 L61.175,26.936 Z M44.13,11.11 L41.93,18.262 C41.5,19.606 41.08,22.079 41.08,22.079 C41.08,22.079 40.75,19.516 40.292,18.172 L37.94,11.108 L31.928,11.108 L38.462,26.935 C37.572,29.04 36.199,30.815 34.369,30.815 C34.039,30.815 33.709,30.802 33.389,30.765 L31.255,34.061 C31.928,34.441 33.212,34.835 34.737,34.835 C38.703,34.835 41.359,31.627 43.215,26.885 L49.443,11.108 L44.132,11.108 L44.13,11.11 Z"></path>
+                    </g>
+                  </g>
+                </svg>
+              </a>
+              <div class="header-wrap">
+                  <h1 class="project__header__title">Snyk test report</h1>
+    
+                <p class="timestamp">February 5th 2023, 12:20:39 am</p>
+              </div>
+              <div class="source-panel">
+                <span>Scanned the following paths:</span>
+                <ul>
+                  <li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (apk)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/hairyhenderson/gomplate/v3 (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (gomodules)</li><li class="paths">ghcr.io/dexidp/dex:v2.35.3/dexidp/dex (gomodules)</li>
+                </ul>
+              </div>
+    
+              <div class="meta-counts">
+                <div class="meta-count"><span>3</span> <span>known vulnerabilities</span></div>
+                <div class="meta-count"><span>5 vulnerable dependency paths</span></div>
+                <div class="meta-count"><span>756</span> <span>dependencies</span></div>
+              </div><!-- .meta-counts -->
+            </div><!-- .layout-container--short -->
+          </header><!-- .project__header -->
+        </div><!-- .layout-stacked__header -->
+
+    <div class="layout-container" style="padding-top: 35px;">
+      <div class="cards--vuln filter--patch filter--ignore">
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Improper Input Validation</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/text/language
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/text/language@v0.3.7
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/text/language@v0.3.7
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Improper Input Validation due to the parser being, by design, exposed to untrusted user input, which can be leveraged to force a program to consume significant time parsing <code>Accept-Language</code> headers.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/text/language</code> to version 0.3.8 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/text/commit/434eadcdbc3b0256971992e8c70027278364c72c">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56152">GitHub Issue</a></li>
+        <li><a href="https://github.com/golang/text/releases/tag/v0.3.8">GitHub Release</a></li>
+        <li><a href="https://groups.google.com/g/golang-dev/c/qfPIly0X7aU">Google Groups Forum</a></li>
+        <li><a href="https://bugzilla.redhat.com/show_bug.cgi?id=2134010">RedHat Bugzilla Bug</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXTEXTLANGUAGE-3043869">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Incorrect Privilege Assignment</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/sys/unix
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/sys/unix@v0.0.0-20220728004956-3c1f35247d10
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p>Affected versions of this package are vulnerable to Incorrect Privilege Assignment such that when called with a non-zero flags parameter, the <code>Faccessat</code> function can incorrectly report that a file is accessible.</p>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/sys/unix</code> to version 0.1.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://github.com/golang/sys/commit/33da011f77ade50ff5b6a6fb4a9a1e6d6b285809">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/sys/releases/tag/v0.1.0">GitHub Release</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXSYSUNIX-3310442">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+        <div class="card card--vuln  disclosure--not-new severity--medium" data-snyk-test="medium">
+            <h2 class="card__title">Denial of Service (DoS)</h2>
+            <div class="card__section">
+        
+                <div class="label label--medium">
+                    <span class="label__text">medium severity</span>
+                </div>
+        
+                <hr/>
+        
+                <ul class="card__meta">
+                    <li class="card__meta__item">
+                        Package Manager: golang
+                    </li>
+                    <li class="card__meta__item">
+                            Vulnerable module:
+        
+                            golang.org/x/net/http2
+                    </li>
+        
+                    <li class="card__meta__item">Introduced through:
+        
+                                github.com/hairyhenderson/gomplate/v3@* and golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591
+        
+                    </li>
+                </ul>
+        
+                <hr/>
+        
+        
+                        <h3 class="card__section__title">Detailed paths</h3>
+        
+                    <ul class="card__meta__paths">
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/hairyhenderson/gomplate/v3@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220909164309-bea034e7d591
+                                        
+                                </span>
+        
+                            </li>
+                                <li>
+                                <span class="list-paths__item__introduced"><em>Introduced through</em>:
+                                        github.com/dexidp/dex@*
+                                         <span class="list-paths__item__arrow">›</span> 
+                                        golang.org/x/net/http2@v0.0.0-20220927171203-f486391704dc
+                                        
+                                </span>
+        
+                            </li>
+                    </ul><!-- .list-paths -->
+        
+            </div><!-- .card__section -->
+        
+              <hr/>
+              <!-- Overview -->
+              <h2 id="overview">Overview</h2>
+        <p><a href="https://pkg.go.dev/golang.org/x/net@v0.0.0-20211209100829-84cba5454caf/http2#section-readme">golang.org/x/net/http2</a> is a work-in-progress HTTP/2 implementation for Go.</p>
+        <p>Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper checks and limitations for the number of entries in the cache, which can allow an attacker to consume unbounded amounts of memory by sending a small number of very large keys.</p>
+        <h2 id="details">Details</h2>
+        <p>Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.</p>
+        <p>Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.</p>
+        <p>One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.</p>
+        <p>When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.</p>
+        <p>Two common types of DoS vulnerabilities:</p>
+        <ul>
+        <li><p>High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, <a href="SNYK-JAVA-COMMONSFILEUPLOAD-30082">commons-fileupload:commons-fileupload</a>.</p>
+        </li>
+        <li><p>Crash - An attacker sending crafted requests that could cause the system to crash. For Example,  <a href="https://snyk.io/vuln/npm:ws:20171108">npm <code>ws</code> package</a></p>
+        </li>
+        </ul>
+        <h2 id="remediation">Remediation</h2>
+        <p>Upgrade <code>golang.org/x/net/http2</code> to version 0.4.0 or higher.</p>
+        <h2 id="references">References</h2>
+        <ul>
+        <li><a href="https://cs.opensource.google/go/x/net/+/1e63c2f08a10a150fa02c50ece89b340ae64efe4">Fix Commit</a></li>
+        <li><a href="https://go-review.googlesource.com/c/net/+/455635">Fix Commit</a></li>
+        <li><a href="https://github.com/golang/net/commit/1e63c2f08a10a150fa02c50ece89b340ae64efe4">GitHub Commit</a></li>
+        <li><a href="https://github.com/golang/go/issues/56350">GitHub Issue</a></li>
+        </ul>
+        
+              <hr/>
+        
+            <div class="cta card__cta">
+                <p><a href="https://snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322">More about this vulnerability</a></p>
+            </div>
+        
+        </div><!-- .card -->
+      </div><!-- cards -->
+    </div>
+  </main><!-- .layout-stacked__content -->
+</body>
+
+</html>