Update Snyk configuration file to prevent ignoring CVEs

Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com>

Closes #24331
This commit is contained in:
Bruno Oliveira da Silva 2023-10-26 15:33:34 -03:00
parent 69497382d8
commit 20354f3e0c

67
.github/snyk/.snyk vendored
View file

@ -27,17 +27,7 @@ ignore:
according to the Netty team, the fix should be available on Netty 5.
The expiry date was set as a reminder for us to upgrade, once they
provide the fix.
expires: 2023-12-31T00:00:00.000Z
SNYK-JAVA-ORGWILDFLYSECURITY-1316682:
- "*":
reason: >
WildFly Elytron was upgraded and Keycloak is no longer affected
by CVE-2021-3642. The issue was fixed on Elytron 1.10.14.Final,
1.15.5.Final and 1.16.1.Final last year. More details:
- https://issues.redhat.com/browse/ELY-2147
- https://nvd.nist.gov/vuln/detail/CVE-2021-3642
- https://github.com/keycloak/keycloak/pull/11250
- https://github.com/keycloak/keycloak/pull/11197
expires: 2024-06-31T00:00:00.000Z
SNYK-JAVA-ORGKEYCLOAK-1658295:
- "*":
reason: >
@ -59,58 +49,3 @@ ignore:
More details:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v
- https://access.redhat.com/security/cve/CVE-2022-2668
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
- "*":
reason: >
On latest releases of jackson-databind (2.14.0-rc1 or higher) CVE-2022-42003
is already fixed. Keycloak is not vulnerable to the CVE mentioned. Until 2.14.0
release is out, we should be able to temporarily ignore those alerts from dependency
scanners.
More details:
- https://github.com/keycloak/keycloak/issues/14785
expires: 2022-11-31T00:00:00.000Z
SNYK-JAVA-IOSMALLRYE-2993220:
- "*":
reason: >
Keycloak is not vulnerable. The issue was fixed on Quarkus 2.7.5
More details:
- https://github.com/keycloak/keycloak/issues/14993
# License warnings
snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.plexus:EPL-1.0:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.
snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.inject:EPL-1.0:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.
snyk:lic:maven:com.openshift:openshift-restclient-java:EPL-1.0:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Required by keycloak-services.
snyk:lic:maven:org.mariadb.jdbc:mariadb-java-client:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-jdbc-mariadb.
snyk:lic:maven:org.jboss.narayana.jts:narayana-jts-integration:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
snyk:lic:maven:org.jboss.narayana.jta:narayana-jta:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
snyk:lic:maven:org.hibernate:hibernate-graalvm:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.
snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.