keycloak-scim/.github/snyk/.snyk

version: v1.22.2
ignore:
  SNYK-JAVA-ORGKEYCLOAK-1062507:
    - "*":
        reason: >
          The Keycloak core module is not affected by Open Redirect
          Vulnerability (CVE-2020-1723), that relates to Gatekeeper, an old
          project already decommissioned from our org. More details:
            - https://issues.redhat.com/browse/KEYCLOAK-11318
            - https://www.keycloak.org/2020/08/sunsetting-louketo-project.adoc
            - https://hub.docker.com/r/keycloak/keycloak-gatekeeper
  SNYK-JAVA-ORGKEYCLOAK-1088339:
    - "*":
        reason: >
          The Keycloak services module is not affected by CVE-2021-3461 anymore,  
          the issue was fixed on Keycloak 14.0.0 last year. More details:
            - https://issues.redhat.com/browse/KEYCLOAK-17495
  SNYK-JAVA-IONETTY-1042268:
    - "*":
        reason: >
          There is no fixed version for io.netty:netty-handler. More details:
            - https://github.com/netty/netty/issues/10806
            - https://github.com/netty/netty/issues/8537
            - https://github.com/netty/netty/issues/9930
            - https://github.com/netty/netty/issues/10362
          Netty Handler is a transitive dependency coming from Quarkus,
          according to the Netty team, the fix should be available on Netty 5.
          The expiry date was set as a reminder for us to upgrade, once they
          provide the fix.
        expires: 2023-12-31T00:00:00.000Z
  SNYK-JAVA-ORGWILDFLYSECURITY-1316682:
    - "*":
        reason: >
          WildFly Elytron was upgraded and Keycloak is no longer affected 
          by CVE-2021-3642. The issue was fixed on Elytron 1.10.14.Final, 
          1.15.5.Final and 1.16.1.Final last year. More details:
            - https://issues.redhat.com/browse/ELY-2147   
            - https://nvd.nist.gov/vuln/detail/CVE-2021-3642
            - https://github.com/keycloak/keycloak/pull/11250
            - https://github.com/keycloak/keycloak/pull/11197
  SNYK-JAVA-ORGKEYCLOAK-1658295:
    - "*":
        reason: >
          Keycloak is no longer vulnerable. The issue was fixed on Keycloak 18.0.0
          More details:
            - https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v   
            - https://access.redhat.com/security/cve/cve-2021-3827
  SNYK-JAVA-ORGKEYCLOAK-1083276:
    - "*":
        reason: >
          Keycloak is no longer vulnerable. The issue was fixed on Keycloak 18.0.0
          More details:
            - https://github.com/keycloak/keycloak/security/advisories/GHSA-mwm4-5qwr-g9pf   
            - https://access.redhat.com/security/cve/cve-2021-3424              
  SNYK-JAVA-ORGKEYCLOAK-2987457:
    - "*":
        reason: >
          Keycloak is no longer vulnerable. The issue was fixed on Keycloak 19.0.2
          More details:
            - https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v   
            - https://access.redhat.com/security/cve/CVE-2022-2668
  SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
    - "*":
        reason: >
          On latest releases of jackson-databind (2.14.0-rc1 or higher) CVE-2022-42003 
          is already fixed. Keycloak is not vulnerable to the CVE mentioned. Until 2.14.0 
          release is out, we should be able to temporarily ignore those alerts from dependency 
          scanners.
          More details:
            - https://github.com/keycloak/keycloak/issues/14785
        expires: 2022-11-31T00:00:00.000Z
  SNYK-JAVA-IOSMALLRYE-2993220:
    - "*":
        reason: >
          Keycloak is not vulnerable. The issue was fixed on Quarkus 2.7.5
          More details:
            - https://github.com/keycloak/keycloak/issues/14993         

  # License warnings
  snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.plexus:EPL-1.0:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.
  snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.inject:EPL-1.0:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.
  snyk:lic:maven:com.openshift:openshift-restclient-java:EPL-1.0:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Required by keycloak-services.
  snyk:lic:maven:org.mariadb.jdbc:mariadb-java-client:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-jdbc-mariadb.
  snyk:lic:maven:org.jboss.narayana.jts:narayana-jts-integration:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
  snyk:lic:maven:org.jboss.narayana.jta:narayana-jta:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.

  snyk:lic:maven:org.hibernate:hibernate-graalvm:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
  snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.
  snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.
Suppress Snyk false positives Resolves #11203 2022-04-08 19:08:58 +00:00			`version: v1.22.2`
			`ignore:`
			`SNYK-JAVA-ORGKEYCLOAK-1062507:`
Ignore license compliance warnings Resolves #11225 2022-04-11 19:17:05 +00:00			`- "*":`
Suppress Snyk false positives Resolves #11203 2022-04-08 19:08:58 +00:00			`reason: >`
			`The Keycloak core module is not affected by Open Redirect`
Ignore vulnerabilities fixed on Keycloak 18.0.0 Resolves #11672 2022-04-26 14:25:13 +00:00			`Vulnerability (CVE-2020-1723), that relates to Gatekeeper, an old`
Suppress Snyk false positives Resolves #11203 2022-04-08 19:08:58 +00:00			`project already decommissioned from our org. More details:`
			`- https://issues.redhat.com/browse/KEYCLOAK-11318`
			`- https://www.keycloak.org/2020/08/sunsetting-louketo-project.adoc`
			`- https://hub.docker.com/r/keycloak/keycloak-gatekeeper`
			`SNYK-JAVA-ORGKEYCLOAK-1088339:`
Ignore license compliance warnings Resolves #11225 2022-04-11 19:17:05 +00:00			`- "*":`
Suppress Snyk false positives Resolves #11203 2022-04-08 19:08:58 +00:00			`reason: >`
			`The Keycloak services module is not affected by CVE-2021-3461 anymore,`
			`the issue was fixed on Keycloak 14.0.0 last year. More details:`
			`- https://issues.redhat.com/browse/KEYCLOAK-17495`
			`SNYK-JAVA-IONETTY-1042268:`
Ignore license compliance warnings Resolves #11225 2022-04-11 19:17:05 +00:00			`- "*":`
Suppress Snyk false positives Resolves #11203 2022-04-08 19:08:58 +00:00			`reason: >`
			`There is no fixed version for io.netty:netty-handler. More details:`
			`- https://github.com/netty/netty/issues/10806`
			`- https://github.com/netty/netty/issues/8537`
			`- https://github.com/netty/netty/issues/9930`
			`- https://github.com/netty/netty/issues/10362`
			`Netty Handler is a transitive dependency coming from Quarkus,`
			`according to the Netty team, the fix should be available on Netty 5.`
			`The expiry date was set as a reminder for us to upgrade, once they`
Ignore license compliance warnings Resolves #11225 2022-04-11 19:17:05 +00:00			`provide the fix.`
Suppress Snyk alerts related with Netty Resolves #15066 2022-10-20 15:44:06 +00:00			`expires: 2023-12-31T00:00:00.000Z`
Suppress Snyk warnings about WildFly Elytron Resolves #11277 2022-04-13 12:28:32 +00:00			`SNYK-JAVA-ORGWILDFLYSECURITY-1316682:`
			`- "*":`
			`reason: >`
			`WildFly Elytron was upgraded and Keycloak is no longer affected`
			`by CVE-2021-3642. The issue was fixed on Elytron 1.10.14.Final,`
			`1.15.5.Final and 1.16.1.Final last year. More details:`
			`- https://issues.redhat.com/browse/ELY-2147`
			`- https://nvd.nist.gov/vuln/detail/CVE-2021-3642`
			`- https://github.com/keycloak/keycloak/pull/11250`
			`- https://github.com/keycloak/keycloak/pull/11197`
Ignore vulnerabilities fixed on Keycloak 18.0.0 Resolves #11672 2022-04-26 14:25:13 +00:00			`SNYK-JAVA-ORGKEYCLOAK-1658295:`
			`- "*":`
			`reason: >`
			`Keycloak is no longer vulnerable. The issue was fixed on Keycloak 18.0.0`
			`More details:`
			`- https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v`
			`- https://access.redhat.com/security/cve/cve-2021-3827`
			`SNYK-JAVA-ORGKEYCLOAK-1083276:`
			`- "*":`
			`reason: >`
			`Keycloak is no longer vulnerable. The issue was fixed on Keycloak 18.0.0`
			`More details:`
			`- https://github.com/keycloak/keycloak/security/advisories/GHSA-mwm4-5qwr-g9pf`
False alert - Arbitrary Code Execution vulnerability in org.keycloak:keycloak-saml-core Resolves #14639 2022-09-28 15:20:26 +00:00			`- https://access.redhat.com/security/cve/cve-2021-3424`
			`SNYK-JAVA-ORGKEYCLOAK-2987457:`
			`- "*":`
			`reason: >`
			`Keycloak is no longer vulnerable. The issue was fixed on Keycloak 19.0.2`
			`More details:`
			`- https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v`
Update Snyk ignore file to ignore jackson-databind 2.14.0 is out Resolves #14831 2022-10-10 21:32:35 +00:00			`- https://access.redhat.com/security/cve/CVE-2022-2668`
			`SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:`
			`- "*":`
			`reason: >`
			`On latest releases of jackson-databind (2.14.0-rc1 or higher) CVE-2022-42003`
			`is already fixed. Keycloak is not vulnerable to the CVE mentioned. Until 2.14.0`
			`release is out, we should be able to temporarily ignore those alerts from dependency`
			`scanners.`
			`More details:`
			`- https://github.com/keycloak/keycloak/issues/14785`
			`expires: 2022-11-31T00:00:00.000Z`
Prevent false alerts related to CVE-2021-3914 Resolves #14993 2022-10-18 21:52:15 +00:00			`SNYK-JAVA-IOSMALLRYE-2993220:`
			`- "*":`
			`reason: >`
			`Keycloak is not vulnerable. The issue was fixed on Quarkus 2.7.5`
			`More details:`
			`- https://github.com/keycloak/keycloak/issues/14993`
Update Snyk ignore file to ignore jackson-databind 2.14.0 is out Resolves #14831 2022-10-10 21:32:35 +00:00
Ignore license compliance warnings Resolves #11225 2022-04-11 19:17:05 +00:00			`# License warnings`
			`snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.plexus:EPL-1.0:`
			`- "*":`
			`reason: >`
			`Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.`
			`snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.inject:EPL-1.0:`
			`- "*":`
			`reason: >`
			`Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.`
			`snyk:lic:maven:com.openshift:openshift-restclient-java:EPL-1.0:`
			`- "*":`
			`reason: >`
			`Suppress Snyk license compliance warnings for EPL. Required by keycloak-services.`
			`snyk:lic:maven:org.mariadb.jdbc:mariadb-java-client:LGPL-2.1:`
			`- "*":`
			`reason: >`
			`Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-jdbc-mariadb.`
			`snyk:lic:maven:org.jboss.narayana.jts:narayana-jts-integration:LGPL-2.1:`
			`- "*":`
			`reason: >`
			`Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.`
			`snyk:lic:maven:org.jboss.narayana.jta:narayana-jta:LGPL-2.1:`
			`- "*":`
			`reason: >`
			`Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.`

			`snyk:lic:maven:org.hibernate:hibernate-graalvm:LGPL-2.1:`
			`- "*":`
			`reason: >`
			`Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.`
			`snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.1:`
			`- "*":`
			`reason: >`
			`Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.`
			`snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1:`
			`- "*":`
			`reason: >`
			`Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.`