Update Snyk configuration file to prevent ignoring CVEs

Signed-off-by: Bruno Oliveira da Silva <bruno@abstractj.com> Closes keycloak#24331
srose · Oct 26, 2023 · 20354f3 · 20354f3
1 parent 6949738
commit 20354f3
Showing 1 changed file with 1 addition and 66 deletions.
diff --git a/.github/snyk/.snyk b/.github/snyk/.snyk
@@ -27,17 +27,7 @@ ignore:
           according to the Netty team, the fix should be available on Netty 5.
           The expiry date was set as a reminder for us to upgrade, once they
           provide the fix.
-        expires: 2023-12-31T00:00:00.000Z
-  SNYK-JAVA-ORGWILDFLYSECURITY-1316682:
-    - "*":
-        reason: >
-          WildFly Elytron was upgraded and Keycloak is no longer affected 
-          by CVE-2021-3642. The issue was fixed on Elytron 1.10.14.Final, 
-          1.15.5.Final and 1.16.1.Final last year. More details:
-            - https://issues.redhat.com/browse/ELY-2147   
-            - https://nvd.nist.gov/vuln/detail/CVE-2021-3642
-            - https://github.com/keycloak/keycloak/pull/11250
-            - https://github.com/keycloak/keycloak/pull/11197
+        expires: 2024-06-31T00:00:00.000Z
   SNYK-JAVA-ORGKEYCLOAK-1658295:
     - "*":
         reason: >
@@ -59,58 +49,3 @@ ignore:
           More details:
             - https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v   
             - https://access.redhat.com/security/cve/CVE-2022-2668
-  SNYK-JAVA-COMFASTERXMLJACKSONCORE-3038426:
-    - "*":
-        reason: >
-          On latest releases of jackson-databind (2.14.0-rc1 or higher) CVE-2022-42003 
-          is already fixed. Keycloak is not vulnerable to the CVE mentioned. Until 2.14.0 
-          release is out, we should be able to temporarily ignore those alerts from dependency 
-          scanners.
-          More details:
-            - https://github.com/keycloak/keycloak/issues/14785
-        expires: 2022-11-31T00:00:00.000Z
-  SNYK-JAVA-IOSMALLRYE-2993220:
-    - "*":
-        reason: >
-          Keycloak is not vulnerable. The issue was fixed on Quarkus 2.7.5
-          More details:
-            - https://github.com/keycloak/keycloak/issues/14993         
-
-  # License warnings
-  snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.plexus:EPL-1.0:
-    - "*":
-        reason: >
-          Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.
-  snyk:lic:maven:org.eclipse.sisu:org.eclipse.sisu.inject:EPL-1.0:
-    - "*":
-        reason: >
-          Suppress Snyk license compliance warnings for EPL. Transitive dependency from arquillian-phantom-driver.
-  snyk:lic:maven:com.openshift:openshift-restclient-java:EPL-1.0:
-    - "*":
-        reason: >
-          Suppress Snyk license compliance warnings for EPL. Required by keycloak-services.
-  snyk:lic:maven:org.mariadb.jdbc:mariadb-java-client:LGPL-2.1:
-    - "*":
-        reason: >
-          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-jdbc-mariadb.
-  snyk:lic:maven:org.jboss.narayana.jts:narayana-jts-integration:LGPL-2.1:
-    - "*":
-        reason: >
-          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
-  snyk:lic:maven:org.jboss.narayana.jta:narayana-jta:LGPL-2.1:
-    - "*":
-        reason: >
-          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
-
-  snyk:lic:maven:org.hibernate:hibernate-graalvm:LGPL-2.1:
-    - "*":
-        reason: >
-          Suppress Snyk license compliance warnings for EPL. Transitive dependency from quarkus-hibernate-orm.
-  snyk:lic:maven:org.hibernate:hibernate-core:LGPL-2.1:
-    - "*":
-        reason: >
-          Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.
-  snyk:lic:maven:org.hibernate.common:hibernate-commons-annotations:LGPL-2.1:
-    - "*":
-        reason: >
-          Suppress Snyk license compliance warnings for EPL. Required by keycloak-model-jpa.