version: v1.22.2 ignore: SNYK-JAVA-ORGKEYCLOAK-1062507: - "*": reason: > The Keycloak core module is not affected by Open Redirect Vulnerability (CVE-2020-1723), that relates to Gatekeeper, an old project already decommissioned from our org. More details: - https://issues.redhat.com/browse/KEYCLOAK-11318 - https://www.keycloak.org/2020/08/sunsetting-louketo-project.adoc - https://hub.docker.com/r/keycloak/keycloak-gatekeeper SNYK-JAVA-ORGKEYCLOAK-1088339: - "*": reason: > The Keycloak services module is not affected by CVE-2021-3461 anymore, the issue was fixed on Keycloak 14.0.0 last year. More details: - https://issues.redhat.com/browse/KEYCLOAK-17495 SNYK-JAVA-IONETTY-1042268: - "*": reason: > There is no fixed version for io.netty:netty-handler. More details: - https://github.com/netty/netty/issues/10806 - https://github.com/netty/netty/issues/8537 - https://github.com/netty/netty/issues/9930 - https://github.com/netty/netty/issues/10362 Netty Handler is a transitive dependency coming from Quarkus, according to the Netty team, the fix should be available on Netty 5. The expiry date was set as a reminder for us to upgrade, once they provide the fix. expires: 2022-05-31T00:00:00.000Z SNYK-JAVA-ORGWILDFLYSECURITY-1316682: - "*": reason: > WildFly Elytron was upgraded and Keycloak is no longer affected by CVE-2021-3642. The issue was fixed on Elytron 1.10.14.Final, 1.15.5.Final and 1.16.1.Final last year. More details: - https://issues.redhat.com/browse/ELY-2147 - https://nvd.nist.gov/vuln/detail/CVE-2021-3642 - https://github.com/keycloak/keycloak/pull/11250 - https://github.com/keycloak/keycloak/pull/11197 SNYK-JAVA-ORGKEYCLOAK-1658295: - "*": reason: > Keycloak is no longer vulnerable. The issue was fixed on Keycloak 18.0.0 More details: - https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v - https://access.redhat.com/security/cve/cve-2021-3827 SNYK-JAVA-ORGKEYCLOAK-1083276: - "*": reason: > Keycloak is no longer vulnerable. The issue was fixed on Keycloak 18.0.0 More details: - https://github.com/keycloak/keycloak/security/advisories/GHSA-mwm4-5qwr-g9pf - https://access.redhat.com/security/cve/cve-2021-3424 SNYK-JAVA-ORGKEYCLOAK-2987457: - "*": reason: > Keycloak is no longer vulnerable. The issue was fixed on Keycloak 19.0.2 More details: - https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v - https://access.redhat.com/security/cve/CVE-2022-2668 SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426: - "*": reason: > On latest releases of jackson-databind (2.14.0-rc1 or higher) CVE-2022-42003 is already fixed. Keycloak is not vulnerable to the CVE mentioned. Until 2.14.0 release is out, we should be able to temporarily ignore those alerts from dependency scanners. More details: - https://github.com/keycloak/keycloak/issues/14785 expires: 2022-11-31T00:00:00.000Z SNYK-JAVA-IOSMALLRYE-2993220: - "*": reason: > Keycloak is not vulnerable. The issue was fixed on Quarkus 2.7.5 More details: - https://github.com/keycloak/keycloak/issues/14993 # License warnings snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.plexus:EPL-1.0: - "*": reason: > Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver. snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.inject:EPL-1.0: - "*": reason: > Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver. snyk:lic:maven:com.openshift:openshift-restclient-java:EPL-1.0: - "*": reason: > Suppress Snyk license compliance warnings for EPL. Required by keycloak-services. snyk:lic:maven:org.mariadb.jdbc:mariadb-java-client:LGPL-2.1: - "*": reason: > Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-jdbc-mariadb. snyk:lic:maven:org.jboss.narayana.jts:narayana-jts-integration:LGPL-2.1: - "*": reason: > Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm. snyk:lic:maven:org.jboss.narayana.jta:narayana-jta:LGPL-2.1: - "*": reason: > Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm. snyk:lic:maven:org.hibernate:hibernate-graalvm:LGPL-2.1: - "*": reason: > Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm. snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.1: - "*": reason: > Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa. snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1: - "*": reason: > Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.