Upgrade goutils to v1.1.1 to address Security vulnerability

[jaideepr97]

Summary

Argo CD v2.6.z has moved up to goutils v1.1.1 however, previous versions (at least until v2.3.z) are still running goutils v1.1.0
This includes (v2.3.15, v2.4.21 and v2.5.9)
goutils v1.1.0 is impacted by the following CVE (https://nvd.nist.gov/vuln/detail/CVE-2021-4238) categorized as critical (although snyk categorized it as medium (https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMMASTERMINDSGOUTILS-3121153))

The safest approach is likely to bump up the version of goutils to v1.1.1 in all affected versions

Motivation

One of the 2 affected functions from above CVE (CryptoRandomAlphaNumeric) forms a dependency for ApplicationSet logic in v2.5.z. Code path can be traced to said function starting here: https://github.com/argoproj/argo-cd/blob/master/applicationset/utils/utils.go#L23

The same function is also consumed within notifications-engine in v2.4.z and v2.3.z
code path can be traced to said function starting here:
https://github.com/argoproj/notifications-engine/blob/master/pkg/templates/service.go#L20

notifications-engine is also consumed within argo-cd, hence it may be exposed transitively

See related issue: argoproj/notifications-engine#152

Proposal

Upgrade goutils to v1.1.1 in all supported and affected Argo CD versions (v2.3.15, v2.4.21 and v2.5.9)

[crenshaw-dev]

As far as I can tell, we don't directly use the vulnerable functions anywhere.

This vulnerability impacts notifications users who use the CryptoRandomAlphaNumeric function in their notifications config.

It also impacts ApplicationSets users in >=v2.5 who use CryptoRandomAlphaNumeric in their ApplicationSet templates.

I think we should upgrade goutils across all currently-supported versions so that our users have access to secure functions.

[jaideepr97]

Thanks @crenshaw-dev
Closing this issue

[crenshaw-dev]

Fixes will be in 2.3.16, 2.4.22, and 2.5.10.