Running docker scout on a built software reports a different version than it should #203
Description
I built ArgoCD from source:
mkdir argocd_build && \
cd argocd_build && \
mkdir gocache && \
mkdir gopath && \
export GOCACHE="$(realpath gocache)" && \
export GOPATH="$(realpath gopath)" && \
git clone https://github.com/argoproj/argo-cd && \
cd argo-cd && \
git checkout master && \
make clean && \
make BIN_NAME=argocd-linux-amd64 GOOS=linux argocd-all
Built from 08cd54775046c6ca7071ebe4f5d817f2658cd3c9 (current master).
Docker Scout reports a CVE on it:
1C 0H 0M 0L github.com/argoproj/argo-cd/v3 3.0.0-20250826192237-08cd54775046
pkg:golang/github.com/argoproj/[email protected]#v3
18: sha256:1326df62499f5e3478c1d5872b8acf7bbc3fad28394319df5c4a2327961e826f
/usr/local/bin/argocd (evident by)
✗ CRITICAL CVE-2025-47933 [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]
https://scout.docker.com/v/CVE-2025-47933
Affected range : <3.0.4
Fixed version : 3.0.4
CVSS Score : 9.0
CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Even though in the image it says:
$ /usr/local/bin/argocd version
argocd: v3.2.0+08cd547
BuildDate: 2025-08-27T07:08:37Z
GitCommit: 08cd54775046c6ca7071ebe4f5d817f2658cd3c9
GitTreeState: clean
GoVersion: go1.25.0
Compiler: gc
Platform: linux/amd64
{"level":"fatal","msg":"Argo CD server address unspecified","time":"2025-08-27T07:38:40Z"}
If I build from ArgoCD's newest tag (v3.1.1) then I cannot reproduce this issue.