parent
f84f5fd86e
commit
0ff92df01f
2 changed files with 32 additions and 2 deletions
30
.github/snyk/.snyk
vendored
Normal file
30
.github/snyk/.snyk
vendored
Normal file
|
@ -0,0 +1,30 @@
|
|||
version: v1.22.2
|
||||
ignore:
|
||||
SNYK-JAVA-ORGKEYCLOAK-1062507:
|
||||
- '*':
|
||||
reason: >
|
||||
The Keycloak core module is not affected by Open Redirect
|
||||
Vulnerability (CVE-2020-1723), that relates to Gatekeeper, an old
|
||||
project already decommissioned from our org. More details:
|
||||
- https://issues.redhat.com/browse/KEYCLOAK-11318
|
||||
- https://www.keycloak.org/2020/08/sunsetting-louketo-project.adoc
|
||||
- https://hub.docker.com/r/keycloak/keycloak-gatekeeper
|
||||
SNYK-JAVA-ORGKEYCLOAK-1088339:
|
||||
- '*':
|
||||
reason: >
|
||||
The Keycloak services module is not affected by CVE-2021-3461 anymore,
|
||||
the issue was fixed on Keycloak 14.0.0 last year. More details:
|
||||
- https://issues.redhat.com/browse/KEYCLOAK-17495
|
||||
SNYK-JAVA-IONETTY-1042268:
|
||||
- '*':
|
||||
reason: >
|
||||
There is no fixed version for io.netty:netty-handler. More details:
|
||||
- https://github.com/netty/netty/issues/10806
|
||||
- https://github.com/netty/netty/issues/8537
|
||||
- https://github.com/netty/netty/issues/9930
|
||||
- https://github.com/netty/netty/issues/10362
|
||||
Netty Handler is a transitive dependency coming from Quarkus,
|
||||
according to the Netty team, the fix should be available on Netty 5.
|
||||
The expiry date was set as a reminder for us to upgrade, once they
|
||||
provide the fix.
|
||||
expires: 2022-05-31T00:00:00.000Z
|
4
.github/workflows/snyk.yml
vendored
4
.github/workflows/snyk.yml
vendored
|
@ -26,7 +26,7 @@ jobs:
|
|||
|
||||
- uses: snyk/actions/setup@master
|
||||
- name: Check for vulnerabilities
|
||||
run: snyk test --policy-path=.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus
|
||||
run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus
|
||||
continue-on-error: true
|
||||
env:
|
||||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||
|
@ -54,7 +54,7 @@ jobs:
|
|||
|
||||
- uses: snyk/actions/setup@master
|
||||
- name: Check for vulnerabilities for the Operator
|
||||
run: snyk test --policy-path=.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
|
||||
run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
|
||||
continue-on-error: true
|
||||
env:
|
||||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
|
||||
|
|
Loading…
Reference in a new issue