keycloak-scim/.github/snyk/.snyk
2022-10-18 18:53:27 -03:00

116 lines
5.4 KiB
Text

version: v1.22.2
ignore:
SNYK-JAVA-ORGKEYCLOAK-1062507:
- "*":
reason: >
The Keycloak core module is not affected by Open Redirect
Vulnerability (CVE-2020-1723), that relates to Gatekeeper, an old
project already decommissioned from our org. More details:
- https://issues.redhat.com/browse/KEYCLOAK-11318
- https://www.keycloak.org/2020/08/sunsetting-louketo-project.adoc
- https://hub.docker.com/r/keycloak/keycloak-gatekeeper
SNYK-JAVA-ORGKEYCLOAK-1088339:
- "*":
reason: >
The Keycloak services module is not affected by CVE-2021-3461 anymore,
the issue was fixed on Keycloak 14.0.0 last year. More details:
- https://issues.redhat.com/browse/KEYCLOAK-17495
SNYK-JAVA-IONETTY-1042268:
- "*":
reason: >
There is no fixed version for io.netty:netty-handler. More details:
- https://github.com/netty/netty/issues/10806
- https://github.com/netty/netty/issues/8537
- https://github.com/netty/netty/issues/9930
- https://github.com/netty/netty/issues/10362
Netty Handler is a transitive dependency coming from Quarkus,
according to the Netty team, the fix should be available on Netty 5.
The expiry date was set as a reminder for us to upgrade, once they
provide the fix.
expires: 2022-05-31T00:00:00.000Z
SNYK-JAVA-ORGWILDFLYSECURITY-1316682:
- "*":
reason: >
WildFly Elytron was upgraded and Keycloak is no longer affected
by CVE-2021-3642. The issue was fixed on Elytron 1.10.14.Final,
1.15.5.Final and 1.16.1.Final last year. More details:
- https://issues.redhat.com/browse/ELY-2147
- https://nvd.nist.gov/vuln/detail/CVE-2021-3642
- https://github.com/keycloak/keycloak/pull/11250
- https://github.com/keycloak/keycloak/pull/11197
SNYK-JAVA-ORGKEYCLOAK-1658295:
- "*":
reason: >
Keycloak is no longer vulnerable. The issue was fixed on Keycloak 18.0.0
More details:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v
- https://access.redhat.com/security/cve/cve-2021-3827
SNYK-JAVA-ORGKEYCLOAK-1083276:
- "*":
reason: >
Keycloak is no longer vulnerable. The issue was fixed on Keycloak 18.0.0
More details:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-mwm4-5qwr-g9pf
- https://access.redhat.com/security/cve/cve-2021-3424
SNYK-JAVA-ORGKEYCLOAK-2987457:
- "*":
reason: >
Keycloak is no longer vulnerable. The issue was fixed on Keycloak 19.0.2
More details:
- https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v
- https://access.redhat.com/security/cve/CVE-2022-2668
SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
- "*":
reason: >
On latest releases of jackson-databind (2.14.0-rc1 or higher) CVE-2022-42003
is already fixed. Keycloak is not vulnerable to the CVE mentioned. Until 2.14.0
release is out, we should be able to temporarily ignore those alerts from dependency
scanners.
More details:
- https://github.com/keycloak/keycloak/issues/14785
expires: 2022-11-31T00:00:00.000Z
SNYK-JAVA-IOSMALLRYE-2993220:
- "*":
reason: >
Keycloak is not vulnerable. The issue was fixed on Quarkus 2.7.5
More details:
- https://github.com/keycloak/keycloak/issues/14993
# License warnings
snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.plexus:EPL-1.0:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.
snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.inject:EPL-1.0:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.
snyk:lic:maven:com.openshift:openshift-restclient-java:EPL-1.0:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Required by keycloak-services.
snyk:lic:maven:org.mariadb.jdbc:mariadb-java-client:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-jdbc-mariadb.
snyk:lic:maven:org.jboss.narayana.jts:narayana-jts-integration:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
snyk:lic:maven:org.jboss.narayana.jta:narayana-jta:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
snyk:lic:maven:org.hibernate:hibernate-graalvm:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.
snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1:
- "*":
reason: >
Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.