Update Snyk ignore file to ignore jackson-databind 2.14.0 is out

Resolves #14831
This commit is contained in:
Bruno Oliveira da Silva 2022-10-10 18:32:35 -03:00
parent b67ce73227
commit 9c007e3779

11
.github/snyk/.snyk vendored
View file

@ -59,6 +59,17 @@ ignore:
More details:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v
- https://access.redhat.com/security/cve/CVE-2022-2668
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
- "*":
reason: >
On latest releases of jackson-databind (2.14.0-rc1 or higher) CVE-2022-42003
is already fixed. Keycloak is not vulnerable to the CVE mentioned. Until 2.14.0
release is out, we should be able to temporarily ignore those alerts from dependency
scanners.
More details:
- https://github.com/keycloak/keycloak/issues/14785
expires: 2022-11-31T00:00:00.000Z
# License warnings
snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.plexus:EPL-1.0:
- "*":