Suppress Snyk false positives

Resolves #11203
This commit is contained in:
Bruno Oliveira da Silva 2022-04-08 16:08:58 -03:00
parent f84f5fd86e
commit 0ff92df01f
2 changed files with 32 additions and 2 deletions

30
.github/snyk/.snyk vendored Normal file
View file

@ -0,0 +1,30 @@
version: v1.22.2
ignore:
SNYK-JAVA-ORGKEYCLOAK-1062507:
- '*':
reason: >
The Keycloak core module is not affected by Open Redirect
Vulnerability (CVE-2020-1723), that relates to Gatekeeper, an old
project already decommissioned from our org. More details:
- https://issues.redhat.com/browse/KEYCLOAK-11318
- https://www.keycloak.org/2020/08/sunsetting-louketo-project.adoc
- https://hub.docker.com/r/keycloak/keycloak-gatekeeper
SNYK-JAVA-ORGKEYCLOAK-1088339:
- '*':
reason: >
The Keycloak services module is not affected by CVE-2021-3461 anymore,
the issue was fixed on Keycloak 14.0.0 last year. More details:
- https://issues.redhat.com/browse/KEYCLOAK-17495
SNYK-JAVA-IONETTY-1042268:
- '*':
reason: >
There is no fixed version for io.netty:netty-handler. More details:
- https://github.com/netty/netty/issues/10806
- https://github.com/netty/netty/issues/8537
- https://github.com/netty/netty/issues/9930
- https://github.com/netty/netty/issues/10362
Netty Handler is a transitive dependency coming from Quarkus,
according to the Netty team, the fix should be available on Netty 5.
The expiry date was set as a reminder for us to upgrade, once they
provide the fix.
expires: 2022-05-31T00:00:00.000Z

View file

@ -26,7 +26,7 @@ jobs:
- uses: snyk/actions/setup@master
- name: Check for vulnerabilities
run: snyk test --policy-path=.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus
run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@ -54,7 +54,7 @@ jobs:
- uses: snyk/actions/setup@master
- name: Check for vulnerabilities for the Operator
run: snyk test --policy-path=.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
continue-on-error: true
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}