Update Snyk ignore file to ignore jackson-databind 2.14.0 is out

Resolves #14831
2022-10-10 18:32:35 -03:00 · 2022-10-10 18:32:35 -03:00 · 9c007e3779
commit 9c007e3779
parent b67ce73227
1 changed files with 12 additions and 1 deletions
--- a/.github/snyk/.snyk
+++ b/.github/snyk/.snyk
@ -58,7 +58,18 @@ ignore:
          Keycloak is no longer vulnerable. The issue was fixed on Keycloak 19.0.2
          More details:
            - https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v   
-            - https://access.redhat.com/security/cve/CVE-2022-2668                           
+            - https://access.redhat.com/security/cve/CVE-2022-2668
+  SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
+    - "*":
+        reason: >
+          On latest releases of jackson-databind (2.14.0-rc1 or higher) CVE-2022-42003 
+          is already fixed. Keycloak is not vulnerable to the CVE mentioned. Until 2.14.0 
+          release is out, we should be able to temporarily ignore those alerts from dependency 
+          scanners.
+          More details:
+            - https://github.com/keycloak/keycloak/issues/14785
+        expires: 2022-11-31T00:00:00.000Z
+
  # License warnings
  snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.plexus:EPL-1.0:
    - "*":