version: v1.22.2
ignore:
  SNYK-JAVA-ORGKEYCLOAK-1062507:
    - "*":
        reason: >
          The Keycloak core module is not affected by Open Redirect
          Vulnerability (CVE-2020-1723), that relates to Gatekeeper, an old
          project already decommissioned from our org. More details:
            - https://issues.redhat.com/browse/KEYCLOAK-11318
            - https://www.keycloak.org/2020/08/sunsetting-louketo-project.adoc
            - https://hub.docker.com/r/keycloak/keycloak-gatekeeper
  SNYK-JAVA-ORGKEYCLOAK-1088339:
    - "*":
        reason: >
          The Keycloak services module is not affected by CVE-2021-3461 anymore,  
          the issue was fixed on Keycloak 14.0.0 last year. More details:
            - https://issues.redhat.com/browse/KEYCLOAK-17495
  SNYK-JAVA-IONETTY-1042268:
    - "*":
        reason: >
          There is no fixed version for io.netty:netty-handler. More details:
            - https://github.com/netty/netty/issues/10806
            - https://github.com/netty/netty/issues/8537
            - https://github.com/netty/netty/issues/9930
            - https://github.com/netty/netty/issues/10362
          Netty Handler is a transitive dependency coming from Quarkus,
          according to the Netty team, the fix should be available on Netty 5.
          The expiry date was set as a reminder for us to upgrade, once they
          provide the fix.
        expires: 2023-12-31T00:00:00.000Z
  SNYK-JAVA-ORGWILDFLYSECURITY-1316682:
    - "*":
        reason: >
          WildFly Elytron was upgraded and Keycloak is no longer affected 
          by CVE-2021-3642. The issue was fixed on Elytron 1.10.14.Final, 
          1.15.5.Final and 1.16.1.Final last year. More details:
            - https://issues.redhat.com/browse/ELY-2147   
            - https://nvd.nist.gov/vuln/detail/CVE-2021-3642
            - https://github.com/keycloak/keycloak/pull/11250
            - https://github.com/keycloak/keycloak/pull/11197
  SNYK-JAVA-ORGKEYCLOAK-1658295:
    - "*":
        reason: >
          Keycloak is no longer vulnerable. The issue was fixed on Keycloak 18.0.0
          More details:
            - https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v   
            - https://access.redhat.com/security/cve/cve-2021-3827
  SNYK-JAVA-ORGKEYCLOAK-1083276:
    - "*":
        reason: >
          Keycloak is no longer vulnerable. The issue was fixed on Keycloak 18.0.0
          More details:
            - https://github.com/keycloak/keycloak/security/advisories/GHSA-mwm4-5qwr-g9pf   
            - https://access.redhat.com/security/cve/cve-2021-3424              
  SNYK-JAVA-ORGKEYCLOAK-2987457:
    - "*":
        reason: >
          Keycloak is no longer vulnerable. The issue was fixed on Keycloak 19.0.2
          More details:
            - https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v   
            - https://access.redhat.com/security/cve/CVE-2022-2668
  SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
    - "*":
        reason: >
          On latest releases of jackson-databind (2.14.0-rc1 or higher) CVE-2022-42003 
          is already fixed. Keycloak is not vulnerable to the CVE mentioned. Until 2.14.0 
          release is out, we should be able to temporarily ignore those alerts from dependency 
          scanners.
          More details:
            - https://github.com/keycloak/keycloak/issues/14785
        expires: 2022-11-31T00:00:00.000Z
  SNYK-JAVA-IOSMALLRYE-2993220:
    - "*":
        reason: >
          Keycloak is not vulnerable. The issue was fixed on Quarkus 2.7.5
          More details:
            - https://github.com/keycloak/keycloak/issues/14993         

  # License warnings
  snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.plexus:EPL-1.0:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.
  snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.inject:EPL-1.0:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.
  snyk:lic:maven:com.openshift:openshift-restclient-java:EPL-1.0:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Required by keycloak-services.
  snyk:lic:maven:org.mariadb.jdbc:mariadb-java-client:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-jdbc-mariadb.
  snyk:lic:maven:org.jboss.narayana.jts:narayana-jts-integration:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
  snyk:lic:maven:org.jboss.narayana.jta:narayana-jta:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.

  snyk:lic:maven:org.hibernate:hibernate-graalvm:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
  snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.
  snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1:
    - "*":
        reason: >
          Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.