ArgoCD busybox trivy report

[ffppmm]

Hi,

I don't know why but our trivy complains about busybox Version and cve-2022-48174.

From https://avd.aquasec.com/nvd/2022/cve-2022-48174/ only Versions below 1.35 are affected.

Currently installed Version in ArgoCD redis and dex-server:

/data $ busybox | head -n 1
BusyBox v1.36.1 (2023-11-07 18:53:09 UTC) multi-call binary.

Trivy reports:
Installed Version: 1.36.1-r0
Fixed Version: 1.36.1-r1

Is this just a false positive or is there an Update required?
Regards Philipp

[phill0555]

Any news on this? Just came up in our trivy report as we are new to using Argo Workflows. Seems odd to be using a version so close to the fixed version instead of just updating to the version with the fix.