From 9bfa4cd13857aac37a6d754fc013ecb719cebde9 Mon Sep 17 00:00:00 2001 From: Bruno Oliveira da Silva Date: Wed, 19 Feb 2025 11:20:38 -0300 Subject: [PATCH] Supress the false positives reported by scorecards Closes #37499 Signed-off-by: Bruno Oliveira da Silva --- distribution/maven-plugins/osv-scanner.toml | 10 +++++++++ js/osv-scanner.toml | 21 +++++++++++++++++++ .../tests/other/webauthn/osv-scanner.toml | 19 +++++++++++++++++ 3 files changed, 50 insertions(+) create mode 100644 distribution/maven-plugins/osv-scanner.toml create mode 100644 js/osv-scanner.toml create mode 100644 testsuite/integration-arquillian/tests/other/webauthn/osv-scanner.toml diff --git a/distribution/maven-plugins/osv-scanner.toml b/distribution/maven-plugins/osv-scanner.toml new file mode 100644 index 00000000000..683c1704898 --- /dev/null +++ b/distribution/maven-plugins/osv-scanner.toml @@ -0,0 +1,10 @@ +# Ignore false positives for https://securityscorecards.dev/viewer/?uri=github.com/keycloak/keycloak + +# Suppress TestNG alert: +# - TestNG is brought in as a transitive dependency via groovy-testng. +# - Test dependencies are not included in the server distribution. +# - The latest groovy-testng version doesn't address the CVE. + +[[IgnoredVulns]] +id = "GHSA-rc2q-x9mf-w3vf" +reason = "suppressed because TestNG, a transitive dependency from groovy-testng, isn’t included in the server distribution." diff --git a/js/osv-scanner.toml b/js/osv-scanner.toml new file mode 100644 index 00000000000..d5fc8f5156c --- /dev/null +++ b/js/osv-scanner.toml @@ -0,0 +1,21 @@ +# Ignore false positives for https://securityscorecards.dev/viewer/?uri=github.com/keycloak/keycloak + +# Reason +[[IgnoredVulns]] +id = "GHSA-9mvj-f7w8-pvh2" +reason = "reason" + +# Reason +[[IgnoredVulns]] +id = "GHSA-67mh-4wv8-2f99" +reason = "reason" + +# Reason +[[IgnoredVulns]] +id = "GHSA-gxr4-xjj5-5px2" +reason = "reason" + +# Reason +[[IgnoredVulns]] +id = "GHSA-jpcq-cgw6-v4j6" +reason = "reason" diff --git a/testsuite/integration-arquillian/tests/other/webauthn/osv-scanner.toml b/testsuite/integration-arquillian/tests/other/webauthn/osv-scanner.toml new file mode 100644 index 00000000000..e3d93ec4053 --- /dev/null +++ b/testsuite/integration-arquillian/tests/other/webauthn/osv-scanner.toml @@ -0,0 +1,19 @@ +# Ignore false positives for https://securityscorecards.dev/viewer/?uri=github.com/keycloak/keycloak + +# guava is a test dependency coming from htmlunit3-driver, not shipped with the server distribution. +# There are no plans to upgrading it considering the effort and breaking changes. +[[IgnoredVulns]] +id = "GHSA-5mg8-w23w-74h3" +reason = "suppressed because guava, a transitive dependency from htmlunit3-driver, isn’t included in the server distribution." + +# guava is a test dependency coming from htmlunit3-driver, not shipped with the server distribution. +# There are no plans to upgrading it considering the effort and breaking changes. +[[IgnoredVulns]] +id = "GHSA-7g45-4rm6-3mm3" +reason = "suppressed because guava, a transitive dependency from htmlunit3-driver, isn’t included in the server distribution." + +# commons-io is a test dependency coming from htmlunit, not shipped with the server distribution. +# There are no plans to upgrading it considering the effort and breaking changes. +[[IgnoredVulns]] +id = "GHSA-78wr-2p64-hpwj" +reason = "suppressed because commons-io, a transitive dependency from htmlunit, isn’t included in the server distribution."