Suppress Snyk false positives

Resolves #11203
2022-04-08 16:08:58 -03:00 · 2022-04-08 16:08:58 -03:00 · 0ff92df01f
commit 0ff92df01f
parent f84f5fd86e
2 changed files with 32 additions and 2 deletions
--- a/.github/snyk/.snyk
+++ b/.github/snyk/.snyk
@ -0,0 +1,30 @@
+version: v1.22.2
+ignore:
+  SNYK-JAVA-ORGKEYCLOAK-1062507:
+    - '*':
+        reason: >
+          The Keycloak core module is not affected by Open Redirect
+          Vulnerability (CVE-2020-1723),  that relates to Gatekeeper, an old
+          project already decommissioned from our org. More details:
+            - https://issues.redhat.com/browse/KEYCLOAK-11318
+            - https://www.keycloak.org/2020/08/sunsetting-louketo-project.adoc
+            - https://hub.docker.com/r/keycloak/keycloak-gatekeeper
+  SNYK-JAVA-ORGKEYCLOAK-1088339:
+    - '*':
+        reason: >
+          The Keycloak services module is not affected by CVE-2021-3461 anymore,  
+          the issue was fixed on Keycloak 14.0.0 last year. More details:
+            - https://issues.redhat.com/browse/KEYCLOAK-17495
+  SNYK-JAVA-IONETTY-1042268:
+    - '*':
+        reason: >
+          There is no fixed version for io.netty:netty-handler. More details:
+            - https://github.com/netty/netty/issues/10806
+            - https://github.com/netty/netty/issues/8537
+            - https://github.com/netty/netty/issues/9930
+            - https://github.com/netty/netty/issues/10362
+          Netty Handler is a transitive dependency coming from Quarkus,
+          according to the Netty team, the fix should be available on Netty 5.
+          The expiry date was set as a reminder for us to upgrade, once they
+          provide the fix.  
+        expires: 2022-05-31T00:00:00.000Z
--- a/.github/workflows/snyk.yml
+++ b/.github/workflows/snyk.yml
@ -26,7 +26,7 @@ jobs:

      - uses: snyk/actions/setup@master
      - name: Check for vulnerabilities
-        run: snyk test --policy-path=.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus
+        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=quarkus-report.sarif quarkus
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
@ -54,7 +54,7 @@ jobs:

      - uses: snyk/actions/setup@master    
      - name: Check for vulnerabilities for the Operator
-        run: snyk test --policy-path=.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
+        run: snyk test --policy-path=${GITHUB_WORKSPACE}/.github/snyk/.snyk --all-projects --prune-repeated-subdependencies --exclude=tests --sarif-file-output=operator-report.sarif operator
        continue-on-error: true
        env:
          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}